The BBC ran an article last week that talked about a keylogger preinstalled on several models of HP laptops. A month or so ago, I talked about the Intel chip flaw that gave admin access to anyone who knew how to exploit it. My Apple experience with High Sierra was an equal example. HP and Intel flaws have been going on for some time, four and seven years, respectively. I have to ask: What ever happened to code reviews? Don’t we do them anymore?
These are two examples of hundreds that show that commercial products are getting to market with some serious flaws in their security - nothing new to most of us. Our laws allow vendors to offer products for sale without any liability for what kinds of flaws there may be. There is not much incentive to do anything accept wait until some security researcher finds the flaw and points it out. Maybe a year or so later, it gets fixed.
The vendor says that is an acceptable risk to the consumer, but never asks what an acceptable risk is to someone buying a computer. It isn’t acceptable to me. Normal due diligence requires code reviews, and vendors are ignoring that in favor of pushing it off on anyone who builds software for them. It is the integration of that software that the vendor should be responsible for. It gets integrated in their product, not in the software vendors that produce it. Why do security researchers, or users, have to be the ones finding these flaws? The vendors should be doing it before the product goes to market. Maybe they might hire a couple of those Security researchers to see what flaws they can find before they charge us for the devices. Then I might accept the risk.
No comments:
Post a Comment