[ale] Not scanned! Re: Freelance web-devs make in-secure sites

DJ-Pfulio djpfulio at jdpfu.com
Thu Jun 8 09:10:27 EDT 2017


Which is why - and I can't believe I'm saying this - we need national laws
(cough, cough, cough) to mandate support periods (5-10 yrs?) and mandatory
patching at least quarterly for all connected devices if more than 200 are sold.

"connected" means **any** networking capability.

The penalties need to be >> corporation ending << for failure to comply and tied
to the management team, so they cannot be serial failures selling the same basic
thing and going out of business every few years.

Plus, this will prevent companies from adding networking, unless there is a
really good reason, due to the patching required - looking at many TVs.

I'm tired of Google thinking a $300-$1500 device has a 3 yr life.
_Supported-until at-least_ dates on packaging, mandatory. If a company is sold,
those support dates MUST be carried forward. Sorta a poison pill to prevent that
old loophole.

I'm tired of router companies putting out crap $20-$250 routers and NEVER making
any patches available. Yes, many of those $250 routers are crap.


On 06/08/2017 08:45 AM, Jim Kinney wrote:
> The merest hint of "set and forget" devices left live online forever scares the
> poo out of me. Colossally stupid idea. Add the "use of this device releases the
> manufacturer of all liability" license crap and it starts looking like a smokers
> convention at a fireworks factory.
> 
> There's a responsibility level that software production just hasn't accepted
> yet. Sometimes 'release early, release often' is really translated to 'break
> early, break often, release anyway".
> 
> 
> 
> On Jun 8, 2017 8:31 AM, "DJ-Pfulio" <DJPfulio at jdpfu.com
> <mailto:DJPfulio at jdpfu.com>> wrote:
> 
>     Perhaps IoT devices need this too?
> 
>     Bruce Schneier's blog ...
>     https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html
>     <https://www.schneier.com/blog/archives/2017/06/safety_and_secu.html>
>     "Last year, on October 21, your digital video recorder — or at least a
>     DVR like yours — knocked Twitter off the internet. Someone used your
>     DVR, along with millions of insecure webcams, routers, and other
>     connected devices, to launch an attack that started a chain reaction,
>     resulting in Twitter, Reddit, Netflix, and many sites going off the
>     internet. You probably didn't realize that your DVR had that kind of
>     power. But it does."
> 
> 
>     A few years ago during a national election is a smaller country, the
>     entire country was taken off line using internet attacks.
> 
>     IoT (or Internet of Shit-devices) have amplified this power.
> 
> 
>     On 06/08/2017 08:09 AM, Jim Kinney wrote:
>     > Hah!
>     >
>     > Sad but true.
>     >
>     > Certain aspects of programming should be required to be
>     > run/directed/managed by licensed professional engineers. Finance,
>     > utilities, and medical are the top three for me that scream for real
>     > professional programming. We don't let precocious high schoolers build
>     > bridges just because they were really good with lego blocks. Engineering
>     > of physical things protects itself with professional standards.
>     > Engineering of virtual things needs to do the same.
>     >
>     > On Jun 8, 2017 7:44 AM, "Adrya Stembridge" <adrya.stembridge at gmail.com
>     <mailto:adrya.stembridge at gmail.com>
>     > <mailto:adrya.stembridge at gmail.com <mailto:adrya.stembridge at gmail.com>>>
>     wrote:
>     >
>     >     For $250 they got about what they paid for.
>     >
>     >     On Thu, Jun 8, 2017 at 6:42 AM, DJ-Pfulio <DJPfulio at jdpfu.com
>     <mailto:DJPfulio at jdpfu.com>
>     >     <mailto:DJPfulio at jdpfu.com <mailto:DJPfulio at jdpfu.com>>> wrote:
>     >
>     >         Of the 17 commissioned projects by Tripwire (a security firm), 10
>     >         websites were completed and purchased.
>     >
>     >         The researchers found that every website had critical security
>     >         failures.
>     >         Read more here:
>     >
>     >         https://www.helpnetsecurity.com/2017/06/08/website-security/
>     <https://www.helpnetsecurity.com/2017/06/08/website-security/>
>     >         <https://www.helpnetsecurity.com/2017/06/08/website-security/
>     <https://www.helpnetsecurity.com/2017/06/08/website-security/>>
>     >
>     >         * Unauthorized users allowed (all) - Check
>     >         * Allowed hackers to upload a PHP webshell (all) - Check
>     >         * Allowed auth bypass via SQL injection (several) - Check
>     >         * Allowed content modification via SQL injection (half) - Check
>     >
>     >         Short, but interesting read.
> 



More information about the Ale mailing list