The article focuses on the security issues surrounding his new NAS, and that's fine. But the problem isn't security. It's Trust.
Consumers generally trust that manufacturers will follow Best Practices and that security is part of the deal: I pay you money, you give me a quality product that Just Works and is Secure.
False.
Products are made to be sold at a profit. You can imagine that some engineer at that company knows about this problem, put in a Jira bug for it and since it didn't affect overall functionality, and because the product needed to be released as soon as possible, they rejected the bug and sent it off.
By default, we should NOT trust that things are Good and Secure. If we are security conscious, then it's on us as consumers to figure out how to mitigate these problems. Or is it?
If I was this guy, I'd box that thing up and send it back and give the company feedback as to why, and then I'd show them this very blog post.
The manufacturer probably won't care. They know that until the average consumer cares about security and knows how to mitigate problems it won't matter. And we all know that the average consumer, even of technical products, has security habits.
Now if you'll excuse me, I need to go take care of some security stuff on my boxes, this really got me thinking about it!
Yeah, until we see these companies get large fines for not following the best practices, and the engineers in charge lose their licenses, nothing will change.
Consumers generally trust that manufacturers will follow Best Practices and that security is part of the deal: I pay you money, you give me a quality product that Just Works and is Secure.
False.
Products are made to be sold at a profit. You can imagine that some engineer at that company knows about this problem, put in a Jira bug for it and since it didn't affect overall functionality, and because the product needed to be released as soon as possible, they rejected the bug and sent it off.
By default, we should NOT trust that things are Good and Secure. If we are security conscious, then it's on us as consumers to figure out how to mitigate these problems. Or is it?
If I was this guy, I'd box that thing up and send it back and give the company feedback as to why, and then I'd show them this very blog post.
The manufacturer probably won't care. They know that until the average consumer cares about security and knows how to mitigate problems it won't matter. And we all know that the average consumer, even of technical products, has security habits.
Now if you'll excuse me, I need to go take care of some security stuff on my boxes, this really got me thinking about it!