[Cryptography] A reasonable cybersecurity law?

Henry Baker hbaker1 at pipeline.com
Mon Dec 6 11:27:56 EST 2021

-----Original Message-----
From: Jerry Leichter 
Sent: Dec 5, 2021 5:22 AM
To: Cryptography List 
Subject: [Cryptography] A reasonable cybersecurity law?
We'll have to see what law actually emerges and, even more important, how it works in the real world, but Forbes reports https://www.forbes.com/sites/daveywinder/2021/12/04/this-new-2022-law-will-ban-use-of-dumb-passwords-in-smart-devices/ on a proposed British law that, for consumer "smart" devices:
o Forbids the use of default weak passwords. Every device must have a unique
password, and there must be no mechanism to reset it to a single universal
o Requires that a contact for reporting security vulnerabilities be published;
o Requires that the period during which the device will receive security updates
must be published at the point of sale; or if the device won't receive such
updates, that must be explicitly declared.
Then again, the article mentions a California bill from 2018 with some similar provisions - but I'm not sure if it ever went into effect, or if it did what effects it had.
-- Jerry

I would dearly love a law that automatically 'open sources' any firmware that doesn't get a
security update within a short period after a security flaw is discovered.
Of course, this requires that all software be escrowed, so that such open sourcing can
actually happen.
(Some prominent vendors also need to have their butts kicked due to existing FOSS license
Our landfills are filling up with perfectly good devices whose manufacturers refuse to
supply firmware updates.
In a few years, we're going to be adding *vehicles* to this landfill due to the failing firmware
in their engines & safety-related systems.
And this, while open source *volunteers* are happy to supply many/most of the fixes.

More information about the cryptography mailing list