[pdkl95]

Specific security regulation is not necessary, because the solution is simple: liability.

If a product leaks pictures of your kids to the internet when it is used normally, the product is defective. If the problem was caused by a bad design[1], then the manufacturer should be liable for their negligence.

Yes, this would make entire categories of currently-used software unusable. It would probably require recalling many current and upcoming products. Adding complex network features (or any network connectivity at all) would also add liability risk, so this would also discourage (but not ban) throwing internet connectivity on everything.

As Dan Geer recommended[2], when the product is Free Software (including the build environment), the end user has the ability to defend themselves, liability can probably be limited to a refund. However with proprietary software or embedded devices where changing the software is not practical, the manufacturer should be liable for any damage their products cause.

I'm sure there will be a lot of resistance to this idea, as many products currently rely on bad design (smart TVs, nest), but allowing a security-free internet of things to happen would be a yet another Sword Of Damocles hanging over our head. Liability may be bad, but the problems that will happen if we connect everything to the internet without serious would be much worse.

[1] "bad design" would not include things outside o f the manufacturer's control, such as new way to weaken crypto or a completely new attack method. Buffer overflows, protocol design problems, incorrect configuration or permissions, unauthenticated updates or other downloads, and sending plaintext over a network should count.

[2] http://geer.tinho.net/geer.blackhat.6viii14.txt

[daveguy]

> Specific security regulation is not necessary, because the solution is simple: liability

That would be simple if companies weren't able to lawyer up and weasel out of any and all liability that doesn't come with explicit standards required by ... regulation. What makes the definition of "defective" vs "not defective" in determining liability is regulation. Regulations don't have to be "fine X will be levied if Y" it can be "Y is required for product Z". That is regulation and it is how we define liability in the legal system. What you are proposing -- establishing bad design -- is the basic definition of regulation.

[cmurf]

What's the definition of "defective". The company defines this, federal regulation can supersede that, but between those two things the "leaks personal data" definition of defective must be present or it simply isn't true just because you (and most any reasonable person) says it's true. If it's explicitly excluded from warranty (or EULA) and inclusion isn't required by federal law, then you're SOL because you've tacitly agreed to be bound by that warranty and EULA by buying the product and not returning it. EULAs allow companies to get away with even known bad design bugs in software that cause data loss, there's nothing you can do about this liability wise.

So maybe you're talking about changing the law, but good luck with that.