Well users do care about getting hacked when it happens - so maybe they do need to be forced to pay a little more to be secure. This also has benefits for e-commerce and on-line banking, credit card fraud etc - so there are definitely companies who will benefit from reduced on-line crime so maybe the end-user wouldn't need to be paying the whole bill? The ISP themselves should also be paying for some of this additional cost - and if it's done across the industry then their would be no competitive disadvantage.
I work as a senior developer, salaried for a company, and I do require all of my developers to use security best practises as they develop. So I don't think this is necessarily naive, but again about out-sourcing vs having good staff in-house to do the company's work. Or if a company is going to out-source they need to use an agency with good standards and reputation to be sure work is completed to a professional standard. So I do agree with you it all comes down to costs and who is going to pay. I don't have time to right a detailed dissertation, but obviously there would be a great deal that would need defining here for it to become law - such as what is considered a minimum security standard and how to certify/audit the work etc. Still seems worth doing to me. All the best, Dan. On 16 January 2014 11:52, Źmicier Januszkiewicz <[email protected]> wrote: > True, some sort of legislation might do the trick, but there is always > this nasty question which we all really hate: who is going to pay for > that? We can't burden national budgets with stuff like that, ISPs do > not produce more than they are paid by customers, so... end users! So > technically, we'll be forcing end users to pay more for something they > do not care as much about. :-) Also, the "standards" would need to be > defined somehow (see Huawei vs U.S. of A. and other countries). > > With regards to security costs, my freelance programming experience > tells me that people tend to produce no more than they are paid for; > assuming someone would work extra hours to implement something not > previously negotiated (see above) and hence not paid for is a bit > naive (no offense). Same goes for companies that do outsourcing > contracts, they are paid by hours and they pay by hours, so sometimes > you are actually asked NOT to put in extra effort. :-) As for basic > security practices, well, the device does ask for password, doesn't > it. :-) Seems we should define "basic" here. > > A somewhat related point is that these "basic security practices" you > mention are not actually taught anywhere on CS courses one would > usually take, even less so on some "teach yourself {a language} in 21 > days" sort of courses/books. It is a ground-breaking revelation for > many development folks that you can compromise an application via a > crafted data file exploiting some sort of a buffer overflow! > > 2014/1/16 Dan Ballance <[email protected]>: > > So your point is that there should be legislation to require companies to > > adhere to certain security standards? I'd support that - particularly in > an > > ISP market which is clearly defined by national boundaries and law. > > > > I do agree with you this is probably to do with cheap out-sourcing, as > well > > as subsequent economic analysis. Where I disagree is that basic security > > costs any more. Most of this stuff is what I would classify as "school > boy > > errors" - not a super-secure system designed by the finest security > minds in > > the industry. Anyone with even mid-range skills should be able to > implement > > basic security practises as they work IMHO. But I do take your general > point > > :) > > > > As for my shock - well I am still shocked. It sucks big time and they > really > > should be doing better. Let's hope Scott's article gets some coverage and > > finds its way back to them. > > > > > > > > > > > > On 16 January 2014 09:32, Źmicier Januszkiewicz <[email protected]> wrote: > >> > >> > Absolutely shocking lack of security considerations. > >> > >> Is it, really? I've got a feeling that companies don't give a s--t > >> about your data, your privacy, and so on (proved by numerous examples > >> out there), unless absolutely required to do so by law, and there is a > >> good reason behind that. It is not a charity fund, you see; a company > >> is all about money, even if they state otherwise via their "motto" or > >> "mission", and as we all know, a dollar saved is a dollar earned... So > >> they try to get it working by hiring 1-2 > >> Chinese/Indian/Pakistan/Younameit techies (not because they are bad at > >> what they do, but because they are cheap), and squeeze them until the > >> stuff is working somewhat. And that's it! Then those who made it work > >> are fired, and another group with even thinner payslip is hired for > >> "support". Note that at no point any emphasis on security of the > >> product is made -- a company is not interested in spending more money, > >> and workers are not interested in spending their life without any > >> compensation. > >> > >> Why a company is not interested? Just some simple calculations anyone > >> can do: having a working device/service/whatever brings in paying > >> customers, having a secure device/service/whatever brings in expenses. > >> So, we get the usual "sorry, we have no budget for that!" reply even > >> if one asks for a security review. > >> > >> And then, see, even if your company manages to produce a "highly > >> secure" device/service by hiring N brilliant minds and paying a > >> 5-digit/mo each of them, then magic happens -- the cost of the end > >> product is so high nobody buys it! Surprise! Will you pay 300 pounds > >> more for something that does the same, but claims to be "secure"? No. > >> Will a punter pay 300 pounds more for that? Hell no. Just as simple as > >> that. > >> > >> I do find it amusing as people get "shocked" by such a simple thing... > >> > >> > >> 2014/1/16 Dan Ballance <[email protected]>: > >> > What a great write up and what an appalling mess for a UK ISP to be in > >> > in > >> > 2014. Absolutely shocking lack of security considerations. Thanks for > >> > sharing this. I've just followed you on Twitter as well, > >> > > >> > cheers, > >> > > >> > Dan. > >> > > >> > > >> > On 15 January 2014 20:28, Scott Helme <[email protected]> wrote: > >> >> > >> >> The BrightBox router is the standard equipment issued by UK ISP > >> >> Everything > >> >> Everywhere (EE) to its subscribers. > >> >> > >> >> The device not only leaks sensitive data but is remotely exploitable > >> >> too. > >> >> An attacker even has the ability to take control of your account as > the > >> >> router leaks your ISP account credentials. > >> >> > >> >> You can read the full article here: > >> >> https://scotthelme.co.uk/ee-brightbox-router-hacked/ > >> >> > >> >> Scott. > >> >> > >> >> _______________________________________________ > >> >> Full-Disclosure - We believe in it. > >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > > >> > > >> > > >> > _______________________________________________ > >> > Full-Disclosure - We believe in it. > >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> > Hosted and sponsored by Secunia - http://secunia.com/ > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
