FTC Dings ASUS For Selling 'Secure' Routers.

[red_pope]

pwgen is a package available on most mainstream linux distributions..

example output... you can vary the length, the default is 8 characters...

(BTW, I wouldn't use the ones below for obvious reasons)

$pwgen -C 32
iethaephieG6phueF9ewoveohohmeing
tee3xu5dirook8aiSh8Ohheceech1hah
AhChooh8eG6xicesaiY0jeaw0Feiteih
pei6oocoongae1cee6VaeKi8aebi7Eem
ooy5uwie6alooSh9jaem6aethe1rie6A
eiYoh8eegh1shu8bi8IeQua7bee2iawo
Cheepheyosaiphee6pa8jei0Leidaing
geeh6Oed9was1sheiv5eilowaenguvai

I used the Gpgp encryption Idea after posting my comment, did saved it to my encrypted thumb-drive and it does works. darn thing is long, long 150 word=numbers encryption. My challenge will be my wife, Got to notifying her on the new changes to the password after work hours.

 

[red_pope]

Just taking security seriously. The recommendation I found a while back was 32 random characters. I know people who use 63-64 truly random characters. I use a phrase which I can remember with some special characters added and some numbers substituted for similar looking alpha characters. It's really not hard to remember and I think reasonably secure.

I definitely agree

 

[RMerlin]

Is the gov auditor held responsible?

According to the ruling, the auditor is picked by Asus, it's not appointed to them.

 

[RMerlin]

Serious question, I see this as a win for us. Why does it seem like people are upset by this? I do agree that 20 years seems to be a bit much but that's on Asus. What negatives would come from this that would affect the consumer?

If Asus gets singled out and the competitors (who are either as bad or worse) don't? Bad publicity, a tarnished reputation, and loss of sales, while people keep buying insecure products from competitors, thinking that they are better since there was no FTC ruling against them. And potentially losing the only home router manufacturer out there that's actually pushing things development-wise. And we all go back to the days where to gain IDS, malware-scanning or VPN technologies, we have to pay twice as much for a SOHO device.

But if the FTC is consequent with itself and applies the same rules to everyone, then yes, everyone benefits. That'd be the ideal scenario.

 

[nagle3092]

If Asus gets singled out and the competitors (who are either as bad or worse) don't? Bad publicity, a tarnished reputation, and loss of sales, while people keep buying insecure products from competitors, thinking that they are better since there was no FTC ruling against them. And potentially losing the only home router manufacturer out there that's actually pushing things development-wise. And we all go back to the days where to gain IDS, malware-scanning or VPN technologies, we have to pay twice as much for a SOHO device.

But if the FTC is consequent with itself and applies the same rules to everyone, then yes, everyone benefits. That'd be the ideal scenario.

Understandable, I think most people who buy Asus routers will continue to do so though. I don't think they are geared towards mom and pop users (who would take this info and immediately dismiss the brand) and target a more tech savvy crowd. For instance I don't know anyone who owns an Asus router that wouldn't be able to build a PC from scratch besides the people I have given them to/recommended them. Those people all used dreadfully old Netgear/Linksys devices.

I'm sure they are going to take a hit from this from some users who have a knee jerk reaction from the news. But I think Asus will recover.

 

[red_pope]

Understandable, I think most people who buy Asus routers will continue to do so though. I don't think they are geared towards mom and pop users (who would take this info and immediately dismiss the brand) and target a more tech savvy crowd. For instance I don't know anyone who owns an Asus router that wouldn't be able to build a PC from scratch besides the people I have given them to/recommended them. Those people all used dreadfully old Netgear/Linksys devices.

I'm sure they are going to take a hit from this from some users who have a knee jerk reaction from the news. But I think Asus will recover.

As a consumer of Asus products, I hope Asus does what is right. But in the other hand, I use one Tp-link ADSL router, Makes me ponder and wonder, what are they doing to improve their products?

 

[evh909]

I dont know why they were singled out, however what bothers me is that most of the headlines/clickbait read that this is a recent problem, and for those that are not good readers will only remember the headlines and potentially turn people off. As has been stated in other posts, this was from 2014 that has been patched already (within a couple of months), however given the circumstances to me the punishment doesnt really match the crime. Asus is one of the few manufacturers that regularly puts out new firmware to address issues and make improvements and has good third party firmware. Thank god we have a short memory for news as we get so much of it, most people will forget this in a couple of months. I myself didn't even recall too much of the original 2014 issue.

 

[jegesq]

I see a common thread of misunderstanding expressed by some here about the purpose of the FTC and how it operates: First, prosecution, by its very nature is "selective", i.e., someone has to complain first to get the process initiated. While Merlin has pointed out numerous other examples of other manufacturers putting out insecure products, perhaps none have been exposed so blatantly as has Asus' weaknesses.

Keep in mind that the major thrust of the complaint was to get Asus to stop its false advertising and what the FTC alleged to be "unfair business practices" in the complaint, the text of which you can all read here: https://www.ftc.gov/system/files/documents/cases/160222asuscmpt.pdf

I sincerely doubt that this is "politically" motivated at all, or that the FTC is seeking to tar and feather Asus unfairly. Admittedly, AiDisk and AiCloud were disasters. Firmware passwords in clear text was idiotic. And as detailed in the complaint, evidently Asus was aware of the issues, received numerous complaints, and did nothing until these issues arose last year and became a PR crisis.

I am with Nagle on this. I love Asus products and think they happen to make the best and most reliable SOHO equipment. I think we're all going to be better off, as consumers, when companies are actually held to account and pay for what essentially were false advertising and other misrepresentations about the security of devices sold to people who may have had no way of knowing the real risks, or how to correct/prevent them. That's the job of the FTC, i.e., to protect consumers from being ripped off, and their primary focus is on false advertising about a product's quality. Manufacturers either fold and go away, and if they do, one could argue that as consumers, we're all the better for that. Other times, manufacturers step up to the plate and fix the problems, and stop making overly-hyperbolic claims about their products to an unsuspecting public.

Honestly, I don't see how we, as consumers are any worse off for this (other than that the price of Asus' products may rise an by infintessimal factor in order to pay for compliance and fines), and perhaps this will also prompt other manufacturers to tighten up and improve their products as well.

As to the argument that the FTC should also go after Netgear, Linksys/Belkin/Cisco, etc., if anyone wants to speak to the FTC about complaints, you can try the consumer complaint page at https://www.ftc.gov/faq/consumer-protection/submit-consumer-complaint-ftc, or you can speak with a live person at the FTC Help Desk at 877-382-4357.

 

[Nullity]

...

Honestly, I don't see how we, as consumers are any worse off for this (other than that the price of Asus' products may rise an by infintessimal factor in order to pay for compliance and fines), and perhaps this will also prompt other manufacturers to tighten up and improve their products as well.

As to the argument that the FTC should also go after Netgear, Linksys/Belkin/Cisco, etc., if anyone wants to speak to the FTC about complaints, you can try the consumer complaint page at https://www.ftc.gov/faq/consumer-protection/submit-consumer-complaint-ftc, or you can speak with a live person at the FTC Help Desk at 877-382-4357.

Imperfect security is universal. If improving security for everyone is the intent, then we should focus on that, rather than attacking Asus (or any individual entity) for problems that are widespread.

The focus on Asus says to me that the intent is to blame rather than help consumers.

 

[sfx2000]

If Asus gets singled out and the competitors (who are either as bad or worse) don't? Bad publicity, a tarnished reputation, and loss of sales, while people keep buying insecure products from competitors, thinking that they are better since there was no FTC ruling against them. And potentially losing the only home router manufacturer out there that's actually pushing things development-wise. And we all go back to the days where to gain IDS, malware-scanning or VPN technologies, we have to pay twice as much for a SOHO device.

Asus has been taken to the woodshed before by the FTC -- this isn't the first time, and their retail numbers were not impacted...

End of the day - I think this could be a great opportunity for Asus to turn this into a positive... by implementing better process controls, internal auditing, and the attendant engineering development/QA effort (and holding 3rd parties to a higher bar as an integrator), this could actually result in higher quality software released to the customers.

More confidence in the shipping product, perhaps less "updates" out to the customers to fix bugs/security issues (because they're found inside, rather than relying on users and 3rd parties) - it's up to them to turn lemons into lemonade - or make it a win-win - for the current as well as potential customers...

 

[Nullity]

Asus has been taken to the woodshed before by the FTC -- this isn't the first time, and their retail numbers were not impacted...

Sources?

 

[sfx2000]

Sources?

Without going too deep - it was the Netgear/Asus issue with Asus being higher than allowed Tx power on certain channels in 5GHz...

 

[jegesq]

Sources?

I think sfx2000 misspoke; Asus was previously slapped by the FCC, not the FTC for its sale of routers that transmitted signals at powers that exceeded permitted levels. As we all know, Asus was required to change its firmware to prevent this (and hence we have all manner of people here trying to "unlocked" firmware that can transmit at higher power, in addition to other aspects of unlocked firmware) Two different government agencies, Federal Communications Commission and the Federal Trade Commission.

Someone above also used the term "ITC" to refer to the recent FTC complaint and consent settlement agreed to by Asus. Again, two different entities (the "ITC" is the U.S. International Trade Commission, which is concerned with providing international trade expertise to both the President and Congress), whereas the FTC deals with unfair business practices, deceptive advertising and all manner of consumer protection issues that are regulated and controlled at a federal level (i.e., matters that involve, affect or are committed in "interstate commerce" or using an instrumentality of interstate commerce)

The point though is that Asus should do better, and must realize that it isn't going to escape regulatory scrutiny if it markets products in a manner that involves untruthful statements, or if it sells products in the U.S. which don't conform to U.S. regulations.

 

[sfx2000]

We can debate some of the finer points

My main point is that Asus has been on the wrong side more than one - they fixed their problem and moved on, and their sales were not impacted, the customer perception of the product, etc...

Likely not a productive discussion on the finer points, this is casual chat - what's done is done - and like I said earlier - Asus has a great opportunity to make this a win - going to take some effort, but if they put in the hard work...

 

[Nullity]

We all know that advertisements bend the truth, so the argument that Asus lied by claiming the device to be secure makes no sense to me.

 

[Nullity]

We can debate some of the finer points

My main point is that Asus has been on the wrong side more than one - they fixed their problem and moved on, and their sales were not impacted, the customer perception of the product, etc...

Likely not a productive discussion on the finer points, this is casual chat - what's done is done - and like I said earlier - Asus has a great opportunity to make this a win - going to take some effort, but if they put in the hard work...

I am more interested in a source for the "sales were not impacted" statement.

 

[RMerlin]

Without going too deep - it was the Netgear/Asus issue with Asus being higher than allowed Tx power on certain channels in 5GHz...

That was the FCC, not the FTC. Netgear accused Asus of having cheated on the certification tests. It had no negative impact because all it did is tell customers that Asus used to sell routers with better than expected coverage.

Meanwhile, the current FTC story points at Asus as being filled with security holes and slow at fixing them - something that's a bit unfair.

 

[hggomes]

http://thehackernews.com/2016/02/asus-router-security-hack.html
https://www.ftc.gov/news-events/pre...rges-insecure-home-routers-cloud-services-put
https://www.ftc.gov/system/files/documents/cases/160222asusagree.pdf

 

[Patricia]

How about spending less time pointing fingers and doing what matters? Does the custom wrts have a process for discretely reporting bugs?

As a consumer I only care that the information on my network stay private.

 

[RMerlin]

How about spending less time pointing fingers and doing what matters? Does the custom wrts have a process for discretely reporting bugs?

As a consumer I only care that the information on my network stay private.

If someone came to me today, told me he needed a totally secure router and which one to buy, my answer would probably be "None currently sold". Even business-class routers were recently put into the light, with companies such as Mikrotik, Juniper and Cisco having their fair share of security problems.

The ideal (not always realistic however) solution would be to run a Linux or BSD-based solution of your own. Not only will you fully control the code (as it will be 100% closed-source), but when a security flaw appears in, say, OpenSSL, you can update it almost on the same day as the patch is available. With manufactured devices, you have to wait days, weeks (if not forever) to get an updated firmware.

The second best alternative would be OpenWRT, as it's fully open-sourced, and actively developed.

These aren't always realistic however, so the next best thing is to go with a router that gets either a) frequent AND long-term firmware updates, or b) good open-source/third party support. And disable any cloud or remote access service. If you need remote access, stick to a reliable VPN solution, either OpenVPN or IPSEC-based. Ideally, it should be the only open port on your WAN side (beside your conntracked connection, obviously).