cybereality
[H]F Junkie
- Joined
- Mar 22, 2008
- Messages
- 8,789
I think it's a good idea. They should also ban WEP while they're at it since it provides almost no security.
Follow along with the video below to see how to install our site as a web app on your home screen.
Note: This feature may not be available in some browsers.
this one?I haven't seen the "correct horse battery stapler" comic in several years.
...and it's freakin right.
It was originally from XKCD. https://xkcd.com/936/this one? View attachment 219540
It's there in the direct quote:
It doesn't say you can't reset to the original password, but chances are that if you don't know your own password you won't know the original unique password either, unless you kept it documented somewhere.
I made the mistake of assuming you don't want to have the password on the device for security. I forgot you can change the password so people with physical address can't access the admin page. So it is not bricked assuming all manufacturers put the password on the device itself.It's printed on the label on the device along with the serial number, model number, etc. You don't have to remember anything, and resetting it doesn't brick it. Completely misleading/mistaken thread title.
This.
I support this.
Furthermore, I'd like to ban any claim of encryption where the encryption key resides on any central server or service.
Encryption keys should need to be manually installed on each and every device that need them. Inconvenient, yes, but the only way you can be sure there is no man-in-the-middle.
No, but you can't have it on the device in a hotel lobby, or office building. Even at home you perhaps want to keep your kids out of the filters in your router.Is someone really going to break into your house to steal your coffee maker/refrigerator/toaster password if it's printed somewhere directly on the unit?
My voice is my passport, verify me.
This.
I support this.
Furthermore, I'd like to ban any claim of encryption where the encryption key resides on any central server or service.
Encryption keys should need to be manually installed on each and every device that need them. Inconvenient, yes, but the only way you can be sure there is no man-in-the-middle.
This is very bad. So this is like if your smartphone doesn't work to the point that it's bricked at the password level. It happens if for some reason it hangs while you were inserting a new password. Then you cannot erase it to factory level and configure it again.The flip side to this is that by NOT doing this, you inevitably create massive bot nets around compromised IoT devices.
The simple solution is to stick / etch the unique password onto the device itself.
Correct me if I'm wrong, from this I don't think it's saying you can't reset the password, just that you can't reset it to some universal default like 123456.
In my opinion, this is a MASSIVE step in the right directly.
Wow someone doesn't want ssl any more.
Apple already does this and every dick and his dog still bitches and moans about right to repair. Expect the most secure device in the world but still expect to be able to repair it yourself.
Is someone really going to break into your house to steal your coffee maker/refrigerator/toaster password if it's printed somewhere directly on the unit?
No, but you can't have it on the device in a hotel lobby, or office building. Even at home you perhaps want to keep your kids out of the filters in your router.
This is very bad. So this is like if your smartphone doesn't work to the point that it's bricked at the password level. It happens if for some reason it hangs while you were inserting a new password. Then you cannot erase it to factory level and configure it again.
This is a bit like what Apple does on its iphones so it is very difficult to resell apart from doing it through Apple channel.
Ah ok. So this is already the case on many devices, like the Orange Boxes. Not a big deal. On the contrary it's good. Many persons leave the default password.Not at all.
No one is saying that the factory reset option should go away.
Just that when you factory reset you reset it to a unique password for that one device, not the same password for all devices. That unique password can be laser etched into the device, so that you never lose it.
It is also not a security issue to have it laser etched, as the device would have to be encrypted, and wipes the key upon factory reset, so all data is inaccessible.
This is just common sense. Any time you use the same default password across your entire product lineup bad things can and will happen.
With hardware forced timeouts for wrong attempts, say 15 min after 3 failed attempts to prevent brute force attacks.
The problem with a hardware forced timeouts is that would be tantamount to a denial of service/access to the device. A hacker could deny the owner the ability of accessing the device. Sure, save the in internet from an IoT botfarm but deny the owner of the device the ability to access and control said device. It's a double edged sword.
Umm, no. If the devices are made with a focus on security, remote management option will be disabled by default. And if it is enabled and a hacker keeps trying and locking the administration of the device, unplug it from the internet for 15 minutes.
Saving the internet from a botfarm is far better that not.
Have you checked the new law in EU regarding your bank account ? It is just crazy. If you ever want to buy or pay for something, you can only do it with your card (no check apart for some rare transactions) and yo need to validate that with an App on your phone and your figerprint or facial recognition and a password which needs to be changed every 3 months. Applicable on the 1st April (not an April's fool). Just crazy and not secured at all. It is just that if someone hacks you, it will be so good, that you won't have good proofs to get the money back and so the bank won't lose anything and police won't look into it, will consider yourself responsible for your loss. But in the mean time paying with real money and checks are becoming illegal (especially in France and Sweden)... so no more choice.
I think my router and/or cable modem does this. And yeah its better than having admin/<nul> as the default login/password that I'm sure quite a few people never changeThey already do this on some wifi routers. The password is printed right on the label. BFD.
It's about time, and they need to pass this in the US also.
Right to repair has nothing to do with this. Cell phones are already generally secure (the point of the proposal/law), but with physical access can be broken in to. This is about set and forget type devices like IoT connected refrigerators, wifi routers, edge devices. Right to repair is not impacted at all by this.
Those are not reasons to not hold hardware manufacturers to best practices regarding the security of their devices. In the above situation they can remove those passwords from the devices' labels.
It's still a good idea that is long overdue.
Right to repair has nothing to do with this. Cell phones are already generally secure (the point of the proposal/law), but with physical access can be broken in to. This is about set and forget type devices like IoT connected refrigerators, wifi routers, edge devices. Right to repair is not impacted at all by this.
Those are not reasons to not hold hardware manufacturers to best practices regarding the security of their devices. In the above situation they can remove those passwords from the devices' labels.
It's still a good idea that is long overdue.
Yes it does, everything from iPhone data recovery demanding access to manufacturer tools right down to the T2 hardware encryption chip that ties all Mac’s SSD’s to the board.
Is this your first time reading about the idea of encryption?
Hardware encryption not shitty software encryption.
Isn't that essentially how routers are now? I know my Netgear router's default looks unique, and it's probably 6-8 years old.Iot device manufacturers must be thrilled by a new UK legislation that requires the use of unique default passwords on all connected devices. And more importantly bans the password reset feature.
This means if you forget the password and don't have the original documentation with your unique password you can throw out the device because it is basically bricked.
Let's be honest you don't often need the password for most devices so it is more than likely to get misplaced or forgotten after a few months or years. Chalk another one up for planned obsolescence, this time mandated by the state.
Source