FTC Dings ASUS For Selling 'Secure' Routers.

[TexasFlood]

Why is the FTC posting sensationalist crap for the casual user?

One of their pointers is "Don’t just click “next” during the set-up process."... Thanks for the tip.

Is this some political smear campaign? Every company has released vulnerable software...


Seriously, the actual complaint pdf cites zero commonly accepted security/exploit databases in any of the individual issues.

Is there something I am missing?

You missed...

For more privacy, choose “limited” or “admin rights” access instead of “limitless” (internet access).

Change pre-set passwords. ... create new passwords that are strong and unique for both your router and any “cloud” services — something only you know. This can help prevent hackers from getting easy access to your network.

Be cautious when setting up “cloud” features. Before enabling any sharing or storage features, research what those features mean and who will have access. Make sure access is limited to what you’re comfortable with.

Stupid is as stupid does...

Sent from my SCH-I535 using Tapatalk

 

[avtella]

If the following Slashdot post is to be believed, it may be a reason why ASUS got hit by the FTC before others.

http://m.slashdot.org/story/307695

According to the post: 'The complaint was raised after well-meaning hackers exploited a weakness on Asus routers and left note on victims' drives notifying them of the matter."

Looks like ASUS was just unlucky to be the one targeted, probably could have similar results had it been other manufacturers as well. I'm sure the FTC will eventually get to them as well, as RMerlin's links give good indications that such issues are widespread across manufacturers.

 

[TexasFlood]

Do door manufacturers have to provide certified dead bolt locks with instructions how to insert the key and turn it and advise you to do so when leaving your home? Better audit then if not! [emoji1]

 

[RMerlin]

Security Audits - most companies do run these internally in most cases - having to report the results to the ITC as a result of the order, that's the extreme part..

The duration is what strikes me as odd. Let's say Asus were a bank and were found guilty of fraud, what would a typical mandatory regular audit period be? 5 years? 10 years maybe?

Seeing the amount of backdoors and security holes found in all those home gateway devices, I'm pretty sure NONE of those manufacturers do any audit. Asus probably did a (minor) one in 2015, seeing the number of security flaws they suddenly started fixing.

 

[Nullity]

Let's say that during the audit period, there is a vuln that makes it to public release.

Is the gov auditor held responsible? Now we audit the auditor for 20 years... now... surely with 2 layers of auditors the published software will be perfect, right?

"Perfection is always an option." - Is that the saying?

 

[anotherengineer]

Probably a competitor, or an unhappy government worker with Asus or maybe the government is using Asus gear and they don't wanna get hacked lol.

Sad thing is, if it was a competitor, and Asus continues to make routers and the audits, they will probably have one of the better/best security firmware's out there, making the competitors more jealous lol

 

[RMerlin]

"Perfection is always an option." - Is that the saying?

"Failure is always an option." - Mythbusters

 

[Nullity]

"Failure is always an option." - Mythbusters

Ah... so close, yet so far.

 

[RMerlin]

Probably a competitor, or an unhappy government worker with Asus or maybe the government is using Asus gear and they don't wanna get hacked lol.

Sad thing is, if it was a competitor, and Asus continues to make routers and the audits, they will probably have one of the better/best security firmware's out there, making the competitors more jealous lol

Assuming the auditor actually does a good job. It could just limit itself to basic penetration testing, without actually auditing the code, or barely glance at the code for low-hanging fruits.

If they do go through a thorough code audit however, I agree - it might give them in the end a pretty solid codebase, which would be an advantage over some of the competition who are in the same market segment.

Personally, my main worry is AiCloud. Most of its code is both closed-source (the lighttpd modules) and obfuscated (the Javascript UI).

 

[red_pope]

You missed...

For more privacy, choose “limited” or “admin rights” access instead of “limitless” (internet access).

Change pre-set passwords. ... create new passwords that are strong and unique for both your router and any “cloud” services — something only you know. This can help prevent hackers from getting easy access to your network.

Be cautious when setting up “cloud” features. Before enabling any sharing or storage features, research what those features mean and who will have access. Make sure access is limited to what you’re comfortable with.

Stupid is as stupid does...

Sent from my SCH-I535 using Tapatalk

That is why in the past, never did trusted them, it just reinforce and confirm my suspicion. I did disable any of the cloud features of my Asus Router. Glad Never used those I cloud tools.

Matter fact, I just change the password to a more stronger one, instead of 10 to 12digits including numbers, capitalized letters and symbols.

For know, I will use it as an access point nothing more. Including, only MAC address identification. I never had mess with other replacement firmware, but consider from know on my top priority from. Hopefully I will find any replacement firmware instead of that Asus junk firmware.



I'm upset with this mess. I find it profoundly disrespectful from Asus.

 

[TexasFlood]

My password has long been a 33 character mix of upper & lower case alpha, numbers and symbols with few common words. And I've never really trusted any cloud offering with anything important. I think those types of things are my responsibility, not any vendor.

 

[sfx2000]

Assuming the auditor actually does a good job. It could just limit itself to basic penetration testing, without actually auditing the code, or barely glance at the code for low-hanging fruits.

Depends on how they set up the audit, and what's agreed upon as a suitable audit report back to the FTC...

I can't see them being held accountable for upstream code, other than to identify and possibly remediate a fix, and pulling the fix into their mainline code base once the upstream has "fixed" it.

If they do go through a thorough code audit however, I agree - it might give them in the end a pretty solid codebase, which would be an advantage over some of the competition who are in the same market segment.

Within Asus's original code, yes... and perhaps due to the audit, (and other vendors if they get taken to task like Asus did), it will be a better, more robust codebase all together - which is a win for the industry at large...

Personally, my main worry is AiCloud. Most of its code is both closed-source (the lighttpd modules) and obfuscated (the Javascript UI).

That will be a challenge that the team at Asus will have to take on head-first - that, and the backend services that support the Asus features like AiCloud and the like...

 

[nagle3092]

Serious question, I see this as a win for us. Why does it seem like people are upset by this? I do agree that 20 years seems to be a bit much but that's on Asus. What negatives would come from this that would affect the consumer?

 

[red_pope]

Depends on how they set up the audit, and what's agreed upon as a suitable audit report back to the FTC...

I can't see them being held accountable for upstream code, other than to identify and possibly remediate a fix, and pulling the fix into their mainline code base once the upstream has "fixed" it.



Within Asus's original code, yes... and perhaps due to the audit, (and other vendors if they get taken to task like Asus did), it will be a better, more robust codebase all together - which is a win for the industry at large...



That will be a challenge that the team at Asus will have to take on head-first - that, and the backend services that support the Asus features like AiCloud and the like...

SFX

I found your comments very knowledgeable.

 

[TexasFlood]

Serious question, I see this as a win for us. Why does it seem like people are upset by this? I do agree that 20 years seems to be a bit much but that's on Asus. What negatives would come from this that would affect the consumer?

I agree, just get irritated at inconsistent application of the rules.

 

[nagle3092]

I agree, just get irritated at inconsistent application of the rules.

That's the American court system in a nutshell.

 

[sfx2000]

Serious question, I see this as a win for us. Why does it seem like people are upset by this? I do agree that 20 years seems to be a bit much but that's on Asus. What negatives would come from this that would affect the consumer?

I agree - and the processes that Asus will have to document and put into place, and actually practice (anybody recall ISO9001?) will, in many ways, make Asus an even better company - and that's a win for them and their customers...

(IMHO, I'll say again, 20 years of Audit requirements is a bit over the top)

 

[red_pope]

Serious question, I see this as a win for us. Why does it seem like people are upset by this? I do agree that 20 years seems to be a bit much but that's on Asus. What negatives would come from this that would affect the consumer?

My password has long been a 33 character mix of upper & lower case alpha, numbers and symbols with few common words. And I've never really trusted any cloud offering with anything important. I think those types of things are my responsibility, not any vendor.

A 33 character mix of upper & lower case alpha, numbers and symbols with few common words.
Are you writing a new paragraph for a book as a password?
Hilarious, that is a long one.
You gave me an Idea, I might use an encrypted signature using Gpgp as a password. Then copy and paste it. That will be a good encrypted long password.
Guarantee more than 33 characters.

 

[sfx2000]

pwgen is a package available on most mainstream linux distributions..

example output... you can vary the length, the default is 8 characters...

(BTW, I wouldn't use the ones below for obvious reasons)

$pwgen -C 32
iethaephieG6phueF9ewoveohohmeing 
tee3xu5dirook8aiSh8Ohheceech1hah
AhChooh8eG6xicesaiY0jeaw0Feiteih
pei6oocoongae1cee6VaeKi8aebi7Eem
ooy5uwie6alooSh9jaem6aethe1rie6A
eiYoh8eegh1shu8bi8IeQua7bee2iawo
Cheepheyosaiphee6pa8jei0Leidaing 
geeh6Oed9was1sheiv5eilowaenguvai

 

[TexasFlood]

A 33 character mix of upper & lower case alpha, numbers and symbols with few common words.
Are you writing a new paragraph for a book as a password?
Hilarious, that is a long one.
You gave me an Idea, I might use an encrypted signature using Gpgp as a password. Then copy and paste it. That will be a good encrypted long password.

Just taking security seriously. The recommendation I found a while back was 32 random characters. I know people who use 63-64 truly random characters. I use a phrase which I can remember with some special characters added and some numbers substituted for similar looking alpha characters. It's really not hard to remember and I think reasonably secure.