Ars: D-Link agrees to settle FTC charges

[Dan Goodin]

Router and webcam maker D-Link has agreed to implement a new security program to settle charges it failed to safeguard its hardware against well-known and preventable hacks and misrepresented its existing security regimen.

Tuesday’s agreement settles a 2017 complaint by the US Federal Trade Commission that alleged D-Link left thousands of customers open to potentially costly hack attacks.

Continue reading on ArsTechnica

 

[Razor512]

If a company needs to be sued in order to get them to issue firmware updates, then users need to take that info into account when deciding on what to purchase. When they go out of their way to block 3rd party firmware use while also refusing to fix well known security issues, that behavior is in the realm of being malicious.

Given the ruling and the actions required by the FTC being in opposition to what the company wants, it is guaranteed that they will do the bare minimum of compliance and use every loophole possibly to ensure the compliance does not yield the results desired. Think along these lines: https://www.reddit.com/r/MaliciousCompliance/

 

[TheLostSwede]

Well, D-Link hasn't been anything but a branding company for the longest of times, so no wonder they don't care. All their product development and manufacturing is outsourced to third parties. I have personally visited a handful of their hardware manufacturing partners and none of them are making any secrets of it. Why would anyone want to buy products from a company like that?

 

[Razor512]

For me, I don't mind if work is outsourced, as long as it is done right, and the product gets the support it needs. The problem is that many companies are producing utilitarian products that will not be replaced very frequently, but they only want to support it with at most 1 or 2 firmware updates for minor bug fixes, and then completely abandon the product.This is becoming a huge issue, especially for cloud reliant IOT products. Since they need to connect to a remote server, you can't do a bandaid fix of restricting its WAN access and then simply using a VPN server in your network to access it to mitigate some of the remote code exploits, it has to maintain its WAN access, then the product never gets updated and becomes a persistent threat on the user's network.

 

[RMerlin]

Well, D-Link hasn't been anything but a branding company for the longest of times, so no wonder they don't care. All their product development and manufacturing is outsourced to third parties. I have personally visited a handful of their hardware manufacturing partners and none of them are making any secrets of it. Why would anyone want to buy products from a company like that?

Alpha Networks used to be owned by D-Link tho. It was eventually spun off from them.

I've been familiar with Alpha Networks's "product quality" for a long time, as they were also developing the WDTV for Western Digital. Back then, I was involved in a third party firmware project for the WDTV. Let me just say how craptastic the code was back then. It came to me as no surprise when I heard about the backdoors and other crazyness that were found in D-Link's firmware, also a product of Alpha Networks...

Given the ruling and the actions required by the FTC being in opposition to what the company wants, it is guaranteed that they will do the bare minimum of compliance and use every loophole possibly to ensure the compliance does not yield the results desired.

The external audit will take care of ensuring that they stay in line, and the FTC gets to approve the auditor.

BTW, this is pretty much the same deal that happened between Asus and the FTC a few years ago (except the FTC decided to have them monitored for a crazy period of 20 years). Asus's development cycle has certainly improved a lot since then. I've seen first-hand some of the impact it had on the code itself, without mentioning the numerous security issues that were reported and promptly resolved by them these past few years.

 

[TheLostSwede]

No, outsourcing is fine, in fact, it's how most things are made. However, when the company that outsources production of hardware also outsources the production of software, what is then left of the business? How do they know how support their own products? As I said, D-Link is a branding company these days and I doubt they will even be able to support some of their products, as their manufacturing partners have in some cases gone bust. I guess we'll see how things develop, but I'm staying, far, far away from D-Link.

I do hope TP-Link gets the message though, as they're almost as bad as D-Link when it comes to software updates.

I was actually surprised when I had a look recently at Asus' pace at releasing fixes for security related issues on their routers and the model I was looking at was hardly one of their biggest sellers. Having seen that, Asus has moved up my list of recommended router brands.

It would seem that government oversight isn't always a bad thing and self regulation clearly doesn't work...

 

[RMerlin]

I was actually surprised when I had a look recently at Asus' pace at releasing fixes for security related issues on their routers and the model I was looking at was hardly one of their biggest sellers. Having seen that, Asus has moved up my list of recommended router brands.

Having a unified code base greatly helps supporting multiple models for an extended period of time. Many times, all they need to do is recompile the updated code, and it will "just work" for many of these older models, as long no changes are related to the platform SDK, and they didn't add new features that might push the hardware beyond its capabilities. Fortunately, the build system lets you enable/disable features as desired.

Asus still releases a couple of firmware release a year for the RT-N66U which was released to the market in late 2011/early 2012. That's impressive, and the proof that all these programmed obsolescence we witness with smartphones or other router manufacturers are purely driven by economical reasons, not technical limitations.

Personally, I think that any piece of hardware that costs a decent amount of money should be required to get software updates for at least 5 years. Maybe 2 years of feature updates, but security updates and bug fixes should be mandatory for the remaining 3 years. That might not be realistic for sub-100$ Android boxes, but a 200$ router or a 750$ smartphone should definitely not be EOL'ed after only 18 months. This is really wasteful from a recycling point of view for starter.

At least things are very slowly starting to move in the right direction with the FTC calling out companies for bad security practices and misrepresentation (since these products are advertised as security solutions). Let's hope things keep improving.

 

[Smokindog]

I'm really against all this ... Users need to do their homework and buy accordingly. If people started to buy based on performance/function/support instead of solely by price the manufacturers will respond. Regulation never does anything but drive up overall cost and stifle innovation. I worked in high tech for more than forty years and most Companies have "long life cycle" and "short life cycle" products. You may pay more for one over the other but the demand by customers had to be met.

 

[shelbystripes]

I'm really against all this ... Users need to do their homework and buy accordingly. If people started to buy based on performance/function/support instead of solely by price the manufacturers will respond. Regulation never does anything but drive up overall cost and stifle innovation. I worked in high tech for more than forty years and most Companies have "long life cycle" and "short life cycle" products. You may pay more for one over the other but the demand by customers had to be met.

History has repeatedly proven again and again, in industry after industry, almost the exact opposite: An unregulated free market only increases harmful behavior.

Your complaint is literally why regulation is needed. People don’t do their homework and buy on more than price, the free market does not naturally eliminate things like horrific security practices, if it did D-Link would not exist in its current form anymore. And it’s not just the individual consumers who suffer from those continued bad practices, it’s society as a whole. When people can easily build malicious botnets because of insecure consumer equipment, that harms society. When people can scrape financial data and steal or reroute millions of dollars, that harms society. When other people connect to someone’s compromised Wi-Fi and also get compromised, that harms society.

Consumers aren’t demanding better products. That’s why regulators are needed.

 

[RMerlin]

I'm really against all this ... Users need to do their homework and buy accordingly.

Alright. Let's say you need to buy a new smart phone. You want something that has 3 years of security updates, since that's how long the phone will last you. Find one.

Or, due to the frequent security issues recently found in Intel CPUs, you want a motherboard that will get BIOS updates for at least 5 years, the typical life expectancy of a PC. Find me one.

The point is, long-term security support that matches a typical life expectancy simply does not exist outside of business-class products. Manufacturers just want you to buy a new product after 18 months, they don't even care if the product is still perfectly fine past these 18 months, but the modern security landscape dictates that every few months, new security issues are found and require patching.

 

[Smokindog]

YA, you'll have to show me that "history proves it". You closed with the real problem Consumers aren’t demanding better products."

You should modify it to "Consumers aren’t demanding better products. That’s why they get what they ask for (or in this case don't)".

History has repeatedly proven again and again, in industry after industry, almost the exact opposite: An unregulated free market only increases harmful behavior.

Your complaint is literally why regulation is needed. People don’t do their homework and buy on more than price, the free market does not naturally eliminate things like horrific security practices, if it did D-Link would not exist in its current form anymore. And it’s not just the individual consumers who suffer from those continued bad practices, it’s society as a whole. When people can easily build malicious botnets because of insecure consumer equipment, that harms society. When people can scrape financial data and steal or reroute millions of dollars, that harms society. When other people connect to someone’s compromised Wi-Fi and also get compromised, that harms society.

Consumers aren’t demanding better products. That’s why regulators are needed.

 

[Smokindog]

The point is, long-term security support that matches a typical life expectancy simply does not exist outside of business-class products.

And THIS is what typically is the biggest differentiation between consumer and business class products AND their respective costs. Right now you've got choice in pricing. Regulate that they both be near identical and they'll cost the same.

Thanks for making my point!

 

[RMerlin]

And THIS is what typically is the biggest differentiation between consumer and business class products AND their respective costs. Right now you've got choice in pricing. Regulate that they both be near identical and they'll cost the same.

Thanks for making my point!

Asus has been updating their routers for 5-7 years, and yet they don't charge business-class pricing on their routers... The 100$ RT-N16 got supported for close to 8 years, and it was always labeled as a home product.

 

[Smokindog]

Asus has been updating their routers for 5-7 years, and yet they don't charge business-class pricing on their routers... The 100$ RT-N16 got supported for close to 8 years, and it was always labeled as a home product.

And THAT is why I buy ASUS products. They provide what I want, no regulation required. THAT is how the free market works!

Again, thank for making my point!

 

[ColinTaylor]

Again, thank for making my point!

I think it's you that's missing the point. You're talking about competition not regulation. The two are not (and should not) be mutually exclusive.

 

[Smokindog]

I think it's you that's missing the point. You're talking about competition not regulation. The two are not (and should not) be mutually exclusive.

Nope, regulation stifles competition. I'm definitely sure I understand the two. UK and Canadian markets are very different so perhaps ....

AGAIN, thanks for helping to make my point!

 

[RMerlin]

Nope, regulation stifles competition. I'm definitely sure I understand the two. UK and Canadian markets are very different so perhaps ....

Right now there's no regulations regarding a minimal level of security provided by product manufacturers, which is why the Internet is plagued with malware, botnets taking down entire networks and what not. One of the largest botnets that hit the Internet these past few years is composed of IP cameras for which manufacturers were not made accountable for poor software development practice and lack of security updates. I suggest you read up on Mirai.

It's fairly visible by now that the current lack of regulations does NOT work, and has led to the currently deteriorating situation of the Internet, as more IoT devices with totally unacceptable code quality are let loose on the Internet.

And THAT is why I buy ASUS products. They provide what I want, no regulation required. THAT is how the free market works!

The FTC are forcing Asus to take stricter care of software security, not the free market. They slapped them with a 20 years long mandatory monitoring a few years ago. Or have you missed the Asusgate incident that led to it? It took a regulatory body to drive Asus to start paying more attention to security. The free market had nothing to do with it...

 

[Smokindog]

It works just fine and you pointed that out. Some manufacturers provide ongoing updates and others do not. The market works, you've got a choice.

I do NOT want the government regulating the Internet and it is NOT the role of government to protect the stupid. At least it's not supposed to be in the US.

Buy a product that does for you what you want.

Stop buying things if you do not like them.

Right now there's no regulations regarding a minimal level of security provided by product manufacturers, which is why the Internet is plagued with malware, botnets taking down entire networks and what not. One of the largest botnets that hit the Internet these past few years is composed of IP cameras for which manufacturers were not made accountable for poor software development practice and lack of security updates. I suggest you read up on Mirai.

It's fairly visible by now that the current lack of regulations does NOT work, and has led to the currently deteriorating situation of the Internet, as more IoT devices with totally unacceptable code quality are let loose on the Internet.



The FTC are forcing Asus to take stricter care of software security, not the free market. They slapped them with a 20 years long mandatory monitoring a few years ago. Or have you missed the Asusgate incident that led to it? It took a regulatory body to drive Asus to start paying more attention to security. The free market had nothing to do with it...

 

[RMerlin]

The problem is, vulnerable devices getting infected or enrolled in botnets are a global problem. Your neighbour's cameras getting infected are responsible for attacking that website you actually visit. So, it's not just a matter of you and I buying stuff we consider more secure, it's a matter of the rest of the world also needing to do so. And in failing to do so, they are affecting everyone else, by increasing the number of zombies on the Internet.

 

[TheLostSwede]

Stop buying things if you do not like them.

You got to be joking, right? Considering how many markets are near monopolies or at least duopolies, what choice do people have?
Routers and Smartphones might be two of the markets where there's still some competition left.
Sometimes consumers can't even vote with their wallets, which is what you propose is the only way things should be done.
Well, you live in a dream world.