The Security Table
The Security Table is four cybersecurity industry veterans from diverse backgrounds discussing how to build secure software and all the issues that arise!
The Security Table
Simple Product Security Requirements
Matt, Izar, and Chris discuss the United Kingdom's new minimum security standards for all Internet-connected consumer products. They highlight three key aspects of these new standards:
Banning of Universal Default and Easily Guessable Passwords: The hosts agree this is a long-overdue measure, as universal default passwords present a significant security risk. They also touch on challenges such as vendor services requiring default passwords and potential ways to address this, like physical switches for privileged access.
Transparency about Security Updates: The hosts discuss the requirement for manufacturers to be clear about how long products will receive security updates. This provision aims to help consumers make better purchasing decisions. In addition, they discuss the challenges it may pose for smaller manufacturers and the potential impact on product pricing.
Vulnerability Reports: The hosts discuss a requirement for manufacturers to respond to bug bounty reports within a reasonable timeframe. They note that many companies need help managing this process effectively and express skepticism about whether this requirement will significantly improve the situation.
While they acknowledge that some of these requirements may challenge smaller companies, the hosts generally see them as a positive step towards better consumer product security.
FOLLOW OUR SOCIAL MEDIA:
➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel
Thanks for Listening!
Hey folks. Welcome to another episode of The Security Table. I am joined by my friends Matt Coles and Ezr Tesh, and I am proud to announce that we have given Ezr a new title here on the security table. He's now officially minister of AI and whatever the other thing was, I don't remember
Izar Tarandash:It was, it was, it was, wait, wait, wait. I have it here. It was Minister. Minister for AI and Intellectual Property. The
Chris Romeo:that
Izar Tarandash:viscount, the viscount. Cameras. I, I want the vCAN part.
Chris Romeo:Yeah. Okay. We can add that too, cuz listen, in the security table, we can, we can do whatever we want. That's the beauty of, of sitting around the table here. We can make whatever decisions we want. So Matt will work on your title. We, I don't have a good one for you
Izar Tarandash:Magnanimous Threat Modeler for Life.
Chris Romeo:that, that sounds like a good tattoo. don't know about a title, but I could see Matt tattooing that across his chest, you know, in that.
Matthew Coles:certain
Chris Romeo:threat
Matthew Coles:invisible ink, with with ultraviolet ink. So it only shows up at, uh, certain times.
Chris Romeo:only when you pass through
Matthew Coles:That's right.
Izar Tarandash:We should do the the thing. Nik Tread modeling Life didn't choose me
Matthew Coles:Actually, actually, we, you could do, you could do on, I can't put my hand here. Th threat. So we need six fingers, right? We need six fingers. So,
Chris Romeo:T H R E A T. Well, you put two letters across, one knuckle.
Izar Tarandash:wait. How many do you
Matthew Coles:I, I have, I am not the six figure man.
Chris Romeo:And we just did a quick inventory.
Matthew Coles:we got, we got our princess bride in, in for the day, so we're good.
Chris Romeo:There you go. We are actually here to talk about something serious other than threat modeling, tattoos, titles, and other types of fun stuff. So the, uh, we've been, we've been tracking and Izar brought to our attention. The, uh, the government of the United Kingdom has some minimum security standards that they're kicking around. Um, Countdown begins for new minimum security standards regime for all consumer products with internet connectivity. So while we do love to be part of a good regime, first of all, if we get that opportunity,
Izar Tarandash:Coffee
Chris Romeo:thought we, I thought we would, we would unpack a few of the examples that they gave here. We're not gonna dive into this entire document, but. Let's unpack a few of the different things that, uh, that they're referencing. And I, I did have a chance to scan through the, uh, the act itself, and they did have a pretty broad definition of consumer products to include mobile phones and other things. So this isn't just IoT that they're, that they're prescribing these types of security requirements for. But let's jump in with the first one and just, just kind of go through this list and. Maybe pick it apart a little bit and see what, what are our thoughts on this? And so the first one says, the banning of universal default and easily guessable default passwords on consumer connectable products. So this one feels like we've been saying this for two decades at this point.
Izar Tarandash:Saying, we've been shouting, we've been crying.
Chris Romeo:We've almost gone through the five stages of grief in this particular, to try to get people to, to, to, to respond to it. You know, there was denial. There was, you know, all these things. But yeah, it seems like this is one of those ones that I feel like we've been saying for a long time.
Matthew Coles:Yeah, we, oh, go ahead. You first.
Izar Tarandash:No, no, you, you go, you
Matthew Coles:I the vi count first, please.
Izar Tarandash:So So the, the, the things that, it's funny that right when we are starting to, to hear people going, uh, about a bad passwords, then we finally get somebody to shout, Hey, hey guys, stop with the, uh, the default, right?
Matthew Coles:This isn't the first time, this isn't the first time we've seen, we've seen regulations and, or, or well, guidelines, certainly. And, and or regulations to
Izar Tarandash:Guidelines.
Matthew Coles:to have default passwords removed.
Izar Tarandash:But these are actual, I don't remember seeing actual regulations that
Matthew Coles:no. Uh, this is, well this is the, for the uk this is not new. I believe that they've had with security last year, they had regulations around, around this. Um,
Chris Romeo:Yeah. So
Izar Tarandash:What do I know?
Chris Romeo:what's the, just for, for, maybe we might have some people listening that don't, that haven't been living this, this battle for the last 20 years of their lives with default passwords. So let's, let's just lay a foundation, uh, Matt, like what are, what, what's the challenge with a default or easily guessable default password?
Matthew Coles:Seriously. Uh, if, if, if a, if a credential is well known and something has access to a system, Uh, so, so first off, often default passwords are well documented and by well document documented. I mean, they exist in the product documentation, which makes its way off into public facing websites that anybody can f can look up. And so having access to a system, uh, and, and many systems today are. At least within the home network, if not internet facing, uh, either, either by design or by accident. Uh, and so that gives, gives an attack or a direct access to most, what is most likely a highly privileged account. I mean, in a nutshell, that's why we don't like to default passwords and, uh, and so, um, it is, and it is hard. is important. It is easy. It is, it is usually easier to fix the default password than it is to fix the secure, uh, connected deployment aspect.
Chris Romeo:Hmm. Yeah, and I was, uh, I was working at Cisco in the days of Cisco 1 23. Which was still the, the default credential, and
Izar Tarandash:Oh,
Matthew Coles:been, you stalker to use password 1, 2, 3 at this point, right? With uh,
Chris Romeo:Yeah, but I mean every, everybody across the internet knew Cisco 1 23 was the default. When I take the the metal box out of the cardboard box, I apply power, it brings up a login. If it had a login or whatever configured, it was always Cisco 1 23 is the way in. So that. The challenge being that everybody knew kind of what that was, and so it sounds like we're, we're violently in agreement here that this is a good practice. It's almost like we wish it would've been implemented 10 or
Matthew Coles:remember root, you had root roots. Route and then tour cuz people tried to be fancy right to get rid of the false passwords by obscuring it. We know security. Security by obscurity doesn't work.
Izar Tarandash:Although I have to pop the ball and the balloon there somewhere, so I wonder if they're saying, uh, what's the minimum that should go in place instead of this, like, are we going to start looking at, uh, government given password policies? Not that those work at all, but, or are we going to start seeing, uh, vendors become more creative in the schemes that they use for that kind
Matthew Coles:Well, are you su, are you suggesting
Izar Tarandash:many times you get, no, many times you get a d default password, like either as a, a setup thing. and you are forced to change it. Right? And that's good. That's great. We, we have always been saying that, that that is the way, but sometimes the vendors say, Hey, we need that default password, because otherwise, how can we service the device? Right? We want to reach out and touch someone. We have to know how to get into the house.
Chris Romeo:Do people, do, do companies even do that anymore though? As a strategy to, would they do remote? Like I would've thought that would've been a thing of the past of, of doing remote troubleshooting and support
Izar Tarandash:Your optimism is endearing.
Matthew Coles:Now I think, I think that that's a regular.
Chris Romeo:I'm an eternal
Matthew Coles:still a regular practice by, by companies, especially with, with a, i I think a lot of companies shifting towards managed services over years. Um, so I don't think this is, I don't think this is unique or, or special in any way, shape or form. Um, Maybe it, maybe it's no longer that, um, uh, you know, you don't, companies are, don't feel like it's necessary for the consumer to, to have access. Um, but I think there's a value add play there, uh, for, for a number of organizations.
Izar Tarandash:things like, uh, SCADA and uh, industrial controllers and stuff like that, so I understand that that's still very much a practice.
Matthew Coles:But, but then I think the expectation there is the, again, the deployment scenario is such that it's. Limited and restricted access, and therefore, uh, having a default credential is, uh, is less severe. Um, and so, but we also know from, from history and experience that their threat model is, uh, is maybe not as, um, fully fleshed out as, as, as it should be. So,
Izar Tarandash:Or it doesn't go forward
Matthew Coles:Well, that's what I mean, right? It doesn't evolve with the threats that actually exist as the system gets deployed and, and, and it is maintained. Um, now it's interesting, you know, just, I, I did quickly look at the, uh, at the actual regulation here. So its, passwords must be unique per product. or defined by the user of the product. And so the, the argument that an organization might make, company might make is, well, if we don't have access to password, how are we gonna be able to provide support services? The flip side of that, of course, is if you set, if you set it uniquely, you'll just have to, uh, no, I, I wanna be careful. The wording is a little vague. It says unique per product. Is that per product as built or per product deployed. So that's a, that's one interesting question, but the, um, if you allow the user to set a credential, in other words, if, so, interestingly enough set up time, it pops up a dialogue that says, do you wanna set a password, otherwise you don't get in. Or does it start with no authentication, which would potentially be even worse. Um, and because some users may, may skip that step if, if they're allowed to, um, But a company that's providing a support service would then have to gain access to that credential. They would be, uh, they would need to have a partnership with the consumer in order to, uh, in order to provide the service that that's expected.
Chris Romeo:Yeah, you're kind of describing a single credential world from a, I mean in, in this particular, I mean, in this day and age, imagining a product that only had a single credential that I had to share with somebody else would be a
Matthew Coles:Well, I'm talking about specifically an administrative or, or configuration, you know, support credential, right? User credentials should be user, user specified, maintenance, and, uh, dare I say backdoor, but I won't, don't want to use that term here. Um, cuz in theory these are all documented credentials, uh, or, or at least well known interfaces that have credentials. Um, Those things I think are what is really in focus for this effort, right? So if we talk about an embedded system or a device that's supposed to be relatively hands off for, for an actual user, you may have a maintenance account or, um, or a support account or, or a configuration account, um, that would require a credential. And I think that's the, that's where this becomes the challenge, right? Because you want to be able to man, manage a, maintain or manage a fleet of devices. Do you wanna have to manage. A fleet of credentials for those devices too. I know, I know. You do and I do. Uh, but, uh, an organization providing services, you know, geek Squad to Geek Squad, gonna have to have to do that.
Chris Romeo:I wouldn't let Geek Squad near my network,
Izar Tarandash:Yeah, but that's the thing. The people that would, would probably either not care or not know about this, the size of the things. But Matt, a question that, that just, uh, uh, came up to me while we're, you were talking, you probably know about this. Do we have any precedent on consumer products? Like, let's say I, I bought a, a router. I'm setting it up. I enter my user password, but for anything that requires privileged access, I have to actually go and flip a hardware switch.
Matthew Coles:I don't think I've seen that on a device. in recent memory. Um, I know that there are, so, I know, I know some IOT devices and iott devices means smart devices for home use, not routers per se, but some of the others. That service access is actually physically protected, meaning you have to either gain access to a port that might be, um, uh, not, well, not, not easily accessible, or you may require a special cable cause it has a certain pin out that doesn't allow. Traditional access, but I don't think I've ever s I don't, I don't recall seeing something where you have to have a physical switch in order to put it into service mode in, in that way.
Izar Tarandash:How cool would it be? If the same way that we have keys to our homes, we would have like a, a UBI key or something like that. And whenever you have to change something that's, uh, uh, privileged inside your, your home devices, you would have to put
Matthew Coles:Uh, I can tell you that depending on the nature of the device, um, and the, um, I guess the nature of the device and its costs, and I, I mean, cost to manufacturer and, and maintain, uh, many of the devices, many of the chips that are used don't have the crypto support to be able to mana to do something like that. Um, so.
Izar Tarandash:But in, in this case, it wouldn't even be crypto. You could just like register one of those. They have unique, uh, uh, serial numbers just the fact that you physically put it in there means, Hey, it's me. I'm inside the house and, uh, no, I can do whatever I want.
Chris Romeo:there needs to be a, a whole suite of connected products for people like us with high assurance needs and requirements, but I don't think the average consumer wants to pay double whatever the smart thermostat costs to have the ability to protect that device in update, you know, from when an update's being applied or they don't want the, the inconvenience
Izar Tarandash:But wait, iron people already used to the, uh, to the, uh, uh, touch your phone to, to pay for gas or
Matthew Coles:Which requires nfc.
Izar Tarandash:couldn't we have? Yeah. Why, why couldn't we have that? In, in, in
Matthew Coles:So how do you secure that? So NFC is not without risk. Bluetooth is not without risk. Right? It's a proximity, it certainly is a proximity thing. Um, and I guess that's the argument, right? Is that you're, if you, if you have the ability to do an n ffc, you're physically next to the device.
Izar Tarandash:Or don't, don't nfc, go back to the, the UBI key as registered, but it, it's a very easy two A that I think that people in this time and age would, would already be willing to accept as it's like your, your digital home
Matthew Coles:so I, oh.
Chris Romeo:to the. I was gonna say the value of the asset, right? Like the average consumer out there is not as concerned. They, they may be willing to, you know, to make strides or whatever. They're just not as concerned. Like when you think about proximity, if you did something, those proximity based, somebody who used to be a high level government official and has a higher risk profile than. Somebody who's, um, you know, just never been famous. Let's just say, I think, I think there is a, like, you don't have to worry as much about somebody trying to get into
Izar Tarandash:Somebody with less of a risk appetite. Yeah.
Chris Romeo:yeah, yeah. Somebody's gonna try to get to use Bluetooth to attack somebody who's, there's just a risk profile there. Some people would be higher level targets where somebody might want to try to attack Bluetooth to, to disrupt something in their
Matthew Coles:So, uh, now it's important to note, I think for the purpose of this, of the thing that we're talking about, the regulation that we're talking about, um, they have specifically taken out of the conversation. Non password based systems. So if you're using Bluetooth, if you're using Bluetooth and NFC as a means of access control. uh, for authentication or, or to, uh, mfa, um, that, that portion is, is out of scope. So, specifically out of scope, do not include our cryptographic keys. So anytime you're using N ffc, you're gonna be, or, or, or some, uh, you know, device, something you have or some, or something you own that's in close proximity. There's gonna be a key exchange that occurs. That's not a password. So that's outta scope. Uh,
Izar Tarandash:Okay, the next
Chris Romeo:the next one. Yeah, we only got three more to go.
Matthew Coles:what's our track record here?
Chris Romeo:second one. We're about, we're running at about 15 minutes per, but we're gonna do
Izar Tarandash:The, the second one is easy.
Matthew Coles:is it?
Chris Romeo:Yeah. Increase manufacturer transparency on how long products will receive security updates,
Matthew Coles:Yep.
Chris Romeo:helping the CU consumer make better purchasing decisions. Is the goal here. So basically, I guess what it's saying is I have to a, if I'm building a product, I have to, on the label or on the box, I have to say, we'll receive product updates until January, 2027.
Izar Tarandash:Assuming we are still in business,
Chris Romeo:Asterisks, put an asterisk after
Matthew Coles:Yeah, so, so looking at the regulation, it is, it is a little bit easier to understand on this one. It applies to hardware and software or the combination. So that's actually really critically important, and it requires a contact person, so it relies, requires a point of contact. so many companies already maintain security at, you know, company name.com, um, or they have a a P cert or, or c cert team, uh, that's, that's sort of a point of contact or even a legal team. Many, many, some companies have have legal as their point of contact, uh, and uh, or they have a support channel, something which is definitive that somebody can say, okay, I can report a security issue again, store or make requests. Uh, and then when somebody makes a request specifically, will get back. They need to get back at least, acknowledgement that the issue was received status updates on a regular basis. So that's the reporting part and uh, a place to indicate how long security updates, like, like Chris was saying, we see this with, um, things like, um, Chromebooks or, or, or Android support. Right. The, there's a definitive timeline of when the last security update will be, will be applied, right. Um, so some companies already do this, um, but this is a call to action for smaller OEMs and, and ISVs to, um, to really think about this long term. That product release is not your goal. It's, it's. product lifecycle, including to decommission and, and, and destruction.
Chris Romeo:Yeah, and, and I know where this is coming from. Like in the early days of iot, there were products that were rushed to market that didn't even have an update
Izar Tarandash:Mm-hmm.
Chris Romeo:So it was like, oh, this, if it, if it's not working as you expected, you're gonna need to throw it away and buy another one. And so that I get, that's where some of this is coming from. I think if we look at the next one, the next one was a little, was a little more puzzling to me and, and maybe you guys can help me.
Matthew Coles:Oh,
Chris Romeo:Factor what's
Matthew Coles:actually, before we move on to that next one, so an interesting comment, uh, on this regulation. So in the specifically the section around, uh, around security updates. So again, somebody can make a request for, um, For how long things should be in support for, it has to be provided without any prior request, without, without costs, without requesting personal information in a way that is understandable to a non-technical reader in English specifically. So that's an, that's a
Chris Romeo:That just got a lot harder.
Matthew Coles:Well, the, the what? The non-technical audience part.
Chris Romeo:Well, no, I mean, I can't make it. I can't charge for it though. So you're basically telling me that I have to pick a date, an arbitrary date in the future, that I'll update this thing through and I have to, so I have to build that into my cost model. So that, that's, I'm gonna, I'm gonna, I'm reaching kind of a, a, so, almost a soapbox moment here. Cause I'm realizing, I'm realizing what's happening here though is that this is gonna add, so these products are gonna have to double in cost to make something like this work because I, you know, like when I buy a new computer, I can buy an extended warranty. To support it for, for an extended period of time. Sounds like what this is telling me is I can't do that anymore. I still have to have a, a, a base, a security level of updates that's included and that I can't charge for until I reach the end of life that I've put on the label. On the box. Is that, am I interpreting this right or am I, am I missing the mark?
Matthew Coles:So the, I'm not sure about on the box. It does say about publishing it on a website. or making it available on request. Uh, what's interesting though, what's also, also interesting here, so this, this may go, go to your soapbox moment, is as a manufacturer, if you choose and publish a date, you cannot ever make it shorter than that. You may extend it, but you can't make it shorter than that. So if you decide, oh, we, we need to end of life this thing earlier than, than be, than necessary, um, you know, Planned ce, for instance, uh, before that target date, that's a no-no. Um, and so you really do have to plan your support resources and, and everything because again, you're gonna have to commit to security updates. And security updates for technologies where you may choose technologies that are reaching end of life when you choose them and they go end of life after, uh, before your support date ends. Uh, or, or other factors. You know, if, if, uh, if, if you have an, if you have a website and you're in and you're using, uh, node for instance, and one of those node projects just disappears, uh, you have to plan for that and you have to be able to account and manage that. And maybe you're doing patches on your own for security issues. So, uh, that's, um, That, that does potentially have a cost to it, but that's a, that's a cost that should have been, should have been born anyway by the engineering effort.
Izar Tarandash:I am
Matthew Coles:Uh, what Are you confused? We're all confused,
Izar Tarandash:It seemed to me. No, it, it seemed to me that we were on the second bullet, the one that talks about how long products will receive
Matthew Coles:are, yes.
Izar Tarandash:for, and somehow we jumped to the fourth bullet, which is device manufacturers would be required to publish contact information to allow
Matthew Coles:Sorry, I, I, I brought them together because they're, they're mixed together in the same section.
Izar Tarandash:Yeah. Then I went to look at the, sorry. I went to look at the, the law itself, and I, I'm utterly confused because this paragraph has to comply with that paragraph and the other paragraph, and my God, I was not born for this. But, uh, okay. At, at, at the end of the day. J just to go back to, to Chris's point is that this is going to make things
Matthew Coles:Yep.
Izar Tarandash:Uh, Samsung does good that with their handsets, they say, Hey, buying this ultra whatever, and it, we are going to patch it for four years and no more. Uh, one plus does the same thing. We are going to give you patches for like the next three versions of an major versions of Android and. that didn't change their cost. So I think that I lost you on the.
Chris Romeo:I am thinking more about like, Maybe the lower end bottom feeders of the consumer product market, which maybe it'll be good if, if they're driven outta business because, but when you think about, to Matt's point about oem, right? Like if you go to Amazon, go to Amazon and search for, um, camera. Security cam, internet connected security camera. You will find 472,000 people that are companies that make internet security cameras. There are a few that are at bubble at the top of the market like Ring, and people like that who you know, have an established track record and likely a security team behind what they do. But then there's 400,000 of them that are just OEMing to a factory and creating it, and they're creating a least common denominator product. They can sell for$17. So maybe it's them being, maybe they'll get pushed outta the market as a, as a component of this.
Izar Tarandash:but look, look, look how funny how, how things now change a bit. Let's go back to what Matt said, that, uh, some board have pined that changed the, the functionality and whatnot. I remember like 10, 12 years ago, because before we have all the, the, the cams at home thing, ecosystem, I, I bought a small Chinese Amazon cologne. To, to, to do my puppy cam. Right. And it came up with, oh my God, glaring to, to the point of the last episode. I run that on it and woohoo, did I get, did I get
Matthew Coles:got actual results?
Izar Tarandash:And, uh
Matthew Coles:so it wasn't useless.
Izar Tarandash:I got to actual, I got actual results. Yeah. And, uh, uh, long story short, turns out that they were o aiming, uh, um, motor board that was, was used by a different manufacturer that did have their, the clue in. So I was able to bring in that firmware, open it up, change the identifiers, turn the the pin out into something that was willing to be, to be, uh, uh, uh, burned and put the new firmware in and echo. Now, now I have a new camera from new manufacturer, and I didn't pay the full price. So the, the point is even if we get to a, to a, to a point where some. the tail end of the manufacturers would fall because that would become too costly for them or because they don't even have a a, a software capability at all. They just get this generic blob, change the strings, change the logo, and pass it forward. Then don't care. So either it's going to, to separate industries and create this firmware thing where they do all the, the regulations and whatnot, and pass that cost to the, the guy who's OEMing the thing, or it's going to fall into the customer to, much like I did, figure out what is it that they paid less for. or make the, the, the conscious decision of saying, I dunno how to do this stuff, so I'm going to pay more
Chris Romeo:let's be honest, how many, what percentage of the world can do what you just did?
Izar Tarandash:So those people are going to be the ones paying more and living behind those, those uh, uh, makers that are not willing to put up with the cost of security. So it's going to clean up the
Matthew Coles:Well, so we don't know. I don't think we, I don't think we know what the penalties are for non-compliance. Is that not allowed to be sold or is that some massive amount of fines?
Izar Tarandash:Let me ask the V count, but, uh, e, e e, even if there aren't any penalties, right? Even if there aren't any, I think that the, the, the market forces, the crews are describing are going to force people out of the, the market. And I think that that's a, a net positive.
Matthew Coles:consumer behavior drives us, I think more so than, than, I mean the market, the market, the market for high, high security in the general population, a a$10 camera versus a$50 camera if you get the same functionality. And the only difference is whether they have a security team behind them. I imagine people are sold by the$10 camera.
Izar Tarandash:I am going to take some of Chris' optimism here. and sort of throw it out there that in this time and age where you open any newspaper and you have second page, uh, the baby camera started to talk in a very eerie voice, and I don't know where it came from. People are waking up to the fact that these devices are. you know, more powerful than, than we usually give them credit for. So I want to believe that our job is going to eventually be made easier because market forces are going to ask for more security. And I would even say without knowing that if the UK went forward and came out with this kind of bill that goes and and puts product security smack in the middle of the thing, it's because their public is already asking their politicians to do something about it.
Chris Romeo:Hmm.
Izar Tarandash:So it's a different kind of market force. Politicians don't wake up in the morning and create customer protecting bills just because they, they're nice. They got forced to it.
Chris Romeo:yeah, yeah, that's true. When you think about the average politician, they're not, they're not security people like we are. They're not driven. They're not gonna, they're not gonna try to, you know, increase the greater good of, of the technology landscape by pushing things forward. Somebody's in their ear. Telling their, or paying for the, for paying for this influence in some way. Now. Now I'm not so optimistic anymore. What just happened? How did I, what happened? That's true. We did have a good conversation with Adam Schostak about, uh, some, some other things that, uh, yeah, that's, that's a good point. May have, may have brought me down in that, that quick little, uh, that quick little thought process there. Well, how about the last one? So this one seems tough to, to have a, to be against because I think most people in the market are doing this now. But device manufacturers will be required to publish contact information to a lot of vulnerabilities. Matt mentioned it a little bit earlier, but. I mean, I can't think of a major company that I use a product for them that doesn't do this now. Like this seems like, so 1990s of a requirement, like in the 1990s, we didn't have this. There were still a lot of companies in those days that had security at addresses. Um, but I feel like in 2023, does anybody not have security at their company routing to somebody who can listen.
Izar Tarandash:You know what's funny? I, I even, I, I look at the other side of the thing. Having, having been at, uh, the receiving side of a number of, uh, bug Barney, uh, campaigns for. even the, the, the, the, the people who are doing the they themselves don't think about emailing security at what, wherever. So it may be that by, by crawling on people's ears, we got companies to, to have this, this even sort of standard security at whatever. But the, the, the consumer side is not educated to that.
Matthew Coles:And.
Izar Tarandash:So I think that this is one of those that goes like to, to both sides and, and clearing up that channel. And hey,
Matthew Coles:And, and I think that this is, so there's talk, talk about cost here. Um, it's one thing to have a, an email like support, you know, supported company X, y, Z, right? So you have a vehicle. Now I know from, from experience, from from working in a couple of companies that do consumer products that. support channel, they may not be fully aware of how to handle a su a security issue. They may not have people on staff initially to handle that. So you have to have people who know how to handle security issues recognize that something is a security issue, right? Cuz somebody may say, you know, may report something in a way that is very technical, but isn't recognizable to the support person as, oh, this is a security problem as opposed to a customer support problem.
Izar Tarandash:Mm-hmm.
Matthew Coles:The law, the regulation is very particular here and, and the important part is not actually having a point of contact. The, I think the important part is that there's a receipt of an acknowledgement that, that a report was made and that regular, ongoing communications is made. on the status of that issue. Right? And that's I think where companies, especially companies that are not well funded, that don't, that, you know, these run these, you know, 400,000 on Amazon companies, right? May not ha, may not have the facilities to do this on a regular basis. They, they can barely do it for support issues. In some cases, you know, if you call up and I say, you have a bug, or I can't get the device online or something, but now you're gonna have to do this for managing a security issue. The other challenge. Is again, it needs to be, uh, without gathering personal information from the submitter and free of charge in English. So you have, uh, you have challenges of most people that, most companies, I think, that supply support. Don't do that for non-customers. Meaning they wanna know who's making the report. You know, is it one of our devices or is it one you have a support contract for? Or you know, or have you bought a subscription, not random person submitting a vulnerability report and then having an ongoing conversation with them?
Chris Romeo:Yeah. I do have a, a thought here that I'd love to get your guys' take on this. Does anybody even report security vulnerabilities to security at anymore, like in the world of bug bounty? It's because I, I mean, I remember security app back in the day when there was Bug bunny didn't exist yet. And so people were using it to report things to Cisco, for example. Or even the web hosting company Exodus that I worked for. People would report security issues. You know, somebody's D dossing me from your IP address range would come to security app. But I mean, it sounds like you got, I mean, just by looks in your faces that nobody's using security ad
Matthew Coles:It
Izar Tarandash:no, no, no, no, no, no. Wait, wait,
Matthew Coles:occasion, I think still, uh, and I'll just say a couple years ago, I, I think as of a couple years ago, was, that was true.
Izar Tarandash:Let's, let's go back to dust
Matthew Coles:Oh God.
Izar Tarandash:I, no, no, no. Wait, wait, wait, wait. This, this is good. This is good. This is good. On, on the last place that I was, that, uh, I, I had visibility on the, the bug bounty. We would commonly get, uh, uh, emails directed at security at where have somebody usually in horrible English saying, uh, that. They had, uh, identified a missing header on an H, whatever, right? And that, uh, they were interested in knowing if there is a bounty available. So they, they, they don't even have the patients to go to the places and see if there is a bounty available. They just blow everything that comes out of the desk into security at and, but bodies pray and
Matthew Coles:and realistic, I think we're, we're using security.
Chris Romeo:our value
Matthew Coles:using security as at, as a, as a placeholder, I think for, and Twitter and Facebook, and, you know, et cetera. All the, all the means by which, and, and by the way, a lot of companies have support for, you know, community support forums, right? They don't offer regular support, so they have a community site. And so somebody's submitting a, a vulnerability report through a community site. Hey, I found a vulnerability. How do I report this to you? Responsibly or Here's the exploit code. Publicly available now, posted online to lots of community support or Reddit or whatever.
Izar Tarandash:bef. Before we, we run out of time, uh, the, we, we are talking about how things are going to be reported and, uh, all that good stuff. But it says, what is it that has to be rep that can be reported, right? So there is, uh, four bullets harder of the product. Fair enough software that's pre, pre-installed in the product. Fair enough? Uh, software which must be installed on the product. For everything to work. So something that a customer has to install into the product for to get the whole functionality. Fair enough. And then the four fourth one, software used for or in connection with any manufacturer's intended purpose of the product, unless the product is a smartphone or a tablet computer capable of connecting to networks. So to me, that reads a bit like, Hey, we can start. Reporting, uh, uh, third party libraries into, to, to, to vendors, and they are expected to do something about it. Or am I reading too much
Matthew Coles:I think, uh, I think that's a confusing wording. Um, software used for
Izar Tarandash:Or in connection with
Matthew Coles:manufacturer's intended purpose, unless the product is a smartphone or tablet.
Izar Tarandash:and, and what's special about smartphone or tablet? Computer capable of connecting to seller
Matthew Coles:That is an interesting call out. Yeah.
Izar Tarandash:You can talk about everything unless it's a, a smart, uh, what's the name? Snap. Dragon Don't, don't talk to us about the modem in your device. What, why, why is that a thing?
Matthew Coles:Well actually the modem is in soap. The modem is hardware. It's only the software that may use that modem that may be outta scope.
Izar Tarandash:Oh, good point. Is firmware software
Matthew Coles:Yes.
Chris Romeo:Yes,
Izar Tarandash:then.
Chris Romeo:it is.
Izar Tarandash:Then you can't talk about the former firmware on the,
Matthew Coles:It's an interesting, it's an interesting call out. Why, specifically devices that go that connect to cellular networks?
Izar Tarandash:I smell
Matthew Coles:it may be that those are, it may be those, those are covered under another regulation that we're not, we're not up to speed on
Izar Tarandash:They, they did not discuss this in the last we count, uh, meeting. I, I, I smell conspiracy. Something to do with six g.
Chris Romeo:the Minister of Artificial Intelligence in protecting intellectual property for security table smells a rat somewhere. So, With that, we're out of time for this episode. Uh, it was fun to bounce through and, and think about these things. I think in general, we landed in support of most of them, maybe with a few questions or clarifications on, uh, some of the things they're doing. Uh, but hey, Matt's looking quizzical, like he didn't agree
Matthew Coles:no, no, no. I'm just looking to, now that I understand the law better, uh, there's more exceptions and we could talk about that at length, but, uh, not now.
Chris Romeo:There's always exceptions to, to every, that, that's the, the, the, the devils in the details or the exceptions is, is what I think we'll
Izar Tarandash:Wait for the book and the expose from the V count
Chris Romeo:Vic count.
Izar Tarandash:on the conspiracy of why not smart.
Chris Romeo:for Vic Count, za, and just regular Matt, we're signing off on the security table. Thanks everybody for listening.
