Hey folks. Welcome to another episode of The Security Table. I am joined by my friends Matt Coles and Ezr Tesh, and I am proud to announce that we have given Ezr a new title here on the security table. He's now officially minister of AI and whatever the other thing was, I don't remember
It was, it was, it was, wait, wait, wait. I have it here. It was Minister. Minister for AI and Intellectual Property. The
that
viscount, the viscount. Cameras. I, I want the vCAN part.
Yeah. Okay. We can add that too, cuz listen, in the security table, we can, we can do whatever we want. That's the beauty of, of sitting around the table here. We can make whatever decisions we want. So Matt will work on your title. We, I don't have a good one for you
Magnanimous Threat Modeler for Life.
that, that sounds like a good tattoo. don't know about a title, but I could see Matt tattooing that across his chest, you know, in that.
certain
threat
invisible ink, with with ultraviolet ink. So it only shows up at, uh, certain times.
only when you pass through
That's right.
We should do the the thing. Nik Tread modeling Life didn't choose me
Actually, actually, we, you could do, you could do on, I can't put my hand here. Th threat. So we need six fingers, right? We need six fingers. So,
T H R E A T. Well, you put two letters across, one knuckle.
wait. How many do you
I, I have, I am not the six figure man.
And we just did a quick inventory.
we got, we got our princess bride in, in for the day, so we're good.
There you go. We are actually here to talk about something serious other than threat modeling, tattoos, titles, and other types of fun stuff. So the, uh, we've been, we've been tracking and Izar brought to our attention. The, uh, the government of the United Kingdom has some minimum security standards that they're kicking around. Um, Countdown begins for new minimum security standards regime for all consumer products with internet connectivity.
So while we do love to be part of a good regime, first of all, if we get that opportunity,
Coffee
thought we, I thought we would, we would unpack a few of the examples that they gave here. We're not gonna dive into this entire document, but. Let's unpack a few of the different things that, uh, that they're referencing. And I, I did have a chance to scan through the, uh, the act itself, and they did have a pretty broad definition of consumer products to include mobile phones and other things.
So this isn't just IoT that they're, that they're prescribing these types of security requirements for. But let's jump in with the first one and just, just kind of go through this list and. Maybe pick it apart a little bit and see what, what are our thoughts on this? And so the first one says, the banning of universal default and easily guessable default passwords on consumer connectable products. So this one feels like we've been saying this for two decades at this point.
Saying, we've been shouting, we've been crying.
We've almost gone through the five stages of grief in this particular, to try to get people to, to, to, to respond to it. You know, there was denial. There was, you know, all these things. But yeah, it seems like this is one of those ones that I feel like we've been saying for a long time.
Yeah, we, oh, go ahead. You first.
No, no, you, you go, you
I the vi count first, please.
So So the, the, the things that, it's funny that right when we are starting to, to hear people going, uh, about a bad passwords, then we finally get somebody to shout, Hey, hey guys, stop with the, uh, the default, right?
This isn't the first time, this isn't the first time we've seen, we've seen regulations and, or, or well, guidelines, certainly. And, and or regulations to
Guidelines.
to have default passwords removed.
But these are actual, I don't remember seeing actual regulations that
no. Uh, this is, well this is the, for the uk this is not new. I believe that they've had with security last year, they had regulations around, around this. Um,
Yeah. So
What do I know?
what's the, just for, for, maybe we might have some people listening that don't, that haven't been living this, this battle for the last 20 years of their lives with default passwords. So let's, let's just lay a foundation, uh, Matt, like what are, what, what's the challenge with a default or easily guessable default password?
Seriously. Uh, if, if, if a, if a credential is well known and something has access to a system, Uh, so, so first off, often default passwords are well documented and by well document documented. I mean, they exist in the product documentation, which makes its way off into public facing websites that anybody can f can look up. And so having access to a system, uh, and, and many systems today are.
At least within the home network, if not internet facing, uh, either, either by design or by accident. Uh, and so that gives, gives an attack or a direct access to most, what is most likely a highly privileged account. I mean, in a nutshell, that's why we don't like to default passwords and, uh, and so, um, it is, and it is hard. is important. It is easy. It is, it is usually easier to fix the default password than it is to fix the secure, uh, connected deployment aspect.
Hmm. Yeah, and I was, uh, I was working at Cisco in the days of Cisco 1 23. Which was still the, the default credential, and
Oh,
been, you stalker to use password 1, 2, 3 at this point, right? With uh,
Yeah, but I mean every, everybody across the internet knew Cisco 1 23 was the default. When I take the the metal box out of the cardboard box, I apply power, it brings up a login. If it had a login or whatever configured, it was always Cisco 1 23 is the way in. So that. The challenge being that everybody knew kind of what that was, and so it sounds like we're, we're violently in agreement here that this is a good practice. It's almost like we wish it would've been implemented 10 or
remember root, you had root roots. Route and then tour cuz people tried to be fancy right to get rid of the false passwords by obscuring it. We know security. Security by obscurity doesn't work.
Although I have to pop the ball and the balloon there somewhere, so I wonder if they're saying, uh, what's the minimum that should go in place instead of this, like, are we going to start looking at, uh, government given password policies? Not that those work at all, but, or are we going to start seeing, uh, vendors become more creative in the schemes that they use for that kind
Well, are you su, are you suggesting
many times you get, no, many times you get a d default password, like either as a, a setup thing. and you are forced to change it. Right? And that's good. That's great. We, we have always been saying that, that that is the way, but sometimes the vendors say, Hey, we need that default password, because otherwise, how can we service the device? Right? We want to reach out and touch someone. We have to know how to get into the house.
Do people, do, do companies even do that anymore though? As a strategy to, would they do remote? Like I would've thought that would've been a thing of the past of, of doing remote troubleshooting and support
Your optimism is endearing.
Now I think, I think that that's a regular.
I'm an eternal
still a regular practice by, by companies, especially with, with a, i I think a lot of companies shifting towards managed services over years. Um, so I don't think this is, I don't think this is unique or, or special in any way, shape or form. Um, Maybe it, maybe it's no longer that, um, uh, you know, you don't, companies are, don't feel like it's necessary for the consumer to, to have access. Um, but I think there's a value add play there, uh, for, for a number of organizations.
things like, uh, SCADA and uh, industrial controllers and stuff like that, so I understand that that's still very much a practice.
But, but then I think the expectation there is the, again, the deployment scenario is such that it's. Limited and restricted access, and therefore, uh, having a default credential is, uh, is less severe. Um, and so, but we also know from, from history and experience that their threat model is, uh, is maybe not as, um, fully fleshed out as, as, as it should be. So,
Or it doesn't go forward
Well, that's what I mean, right? It doesn't evolve with the threats that actually exist as the system gets deployed and, and, and it is maintained. Um, now it's interesting, you know, just, I, I did quickly look at the, uh, at the actual regulation here. So its, passwords must be unique per product. or defined by the user of the product.
And so the, the argument that an organization might make, company might make is, well, if we don't have access to password, how are we gonna be able to provide support services? The flip side of that, of course, is if you set, if you set it uniquely, you'll just have to, uh, no, I, I wanna be careful. The wording is a little vague. It says unique per product. Is that per product as built or per product deployed.
So that's a, that's one interesting question, but the, um, if you allow the user to set a credential, in other words, if, so, interestingly enough set up time, it pops up a dialogue that says, do you wanna set a password, otherwise you don't get in. Or does it start with no authentication, which would potentially be even worse.
Um, and because some users may, may skip that step if, if they're allowed to, um, But a company that's providing a support service would then have to gain access to that credential. They would be, uh, they would need to have a partnership with the consumer in order to, uh, in order to provide the service that that's expected.
Yeah, you're kind of describing a single credential world from a, I mean in, in this particular, I mean, in this day and age, imagining a product that only had a single credential that I had to share with somebody else would be a
Well, I'm talking about specifically an administrative or, or configuration, you know, support credential, right? User credentials should be user, user specified, maintenance, and, uh, dare I say backdoor, but I won't, don't want to use that term here. Um, cuz in theory these are all documented credentials, uh, or, or at least well known interfaces that have credentials. Um, Those things I think are what is really in focus for this effort, right?
So if we talk about an embedded system or a device that's supposed to be relatively hands off for, for an actual user, you may have a maintenance account or, um, or a support account or, or a configuration account, um, that would require a credential. And I think that's the, that's where this becomes the challenge, right? Because you want to be able to man, manage a, maintain or manage a fleet of devices. Do you wanna have to manage. A fleet of credentials for those devices too. I know, I know.
You do and I do. Uh, but, uh, an organization providing services, you know, geek Squad to Geek Squad, gonna have to have to do that.
I wouldn't let Geek Squad near my network,
Yeah, but that's the thing. The people that would, would probably either not care or not know about this, the size of the things. But Matt, a question that, that just, uh, uh, came up to me while we're, you were talking, you probably know about this. Do we have any precedent on consumer products? Like, let's say I, I bought a, a router. I'm setting it up. I enter my user password, but for anything that requires privileged access, I have to actually go and flip a hardware switch.
I don't think I've seen that on a device. in recent memory. Um, I know that there are, so, I know, I know some IOT devices and iott devices means smart devices for home use, not routers per se, but some of the others. That service access is actually physically protected, meaning you have to either gain access to a port that might be, um, uh, not, well, not, not easily accessible, or you may require a special cable cause it has a certain pin out that doesn't allow.
Traditional access, but I don't think I've ever s I don't, I don't recall seeing something where you have to have a physical switch in order to put it into service mode in, in that way.
How cool would it be? If the same way that we have keys to our homes, we would have like a, a UBI key or something like that. And whenever you have to change something that's, uh, uh, privileged inside your, your home devices, you would have to put
Uh, I can tell you that depending on the nature of the device, um, and the, um, I guess the nature of the device and its costs, and I, I mean, cost to manufacturer and, and maintain, uh, many of the devices, many of the chips that are used don't have the crypto support to be able to mana to do something like that. Um, so.
But in, in this case, it wouldn't even be crypto. You could just like register one of those. They have unique, uh, uh, serial numbers just the fact that you physically put it in there means, Hey, it's me. I'm inside the house and, uh, no, I can do whatever I want.
there needs to be a, a whole suite of connected products for people like us with high assurance needs and requirements, but I don't think the average consumer wants to pay double whatever the smart thermostat costs to have the ability to protect that device in update, you know, from when an update's being applied or they don't want the, the inconvenience
But wait, iron people already used to the, uh, to the, uh, uh, touch your phone to, to pay for gas or
Which requires nfc.
couldn't we have? Yeah. Why, why couldn't we have that? In, in, in
So how do you secure that? So NFC is not without risk. Bluetooth is not without risk. Right? It's a proximity, it certainly is a proximity thing. Um, and I guess that's the argument, right? Is that you're, if you, if you have the ability to do an n ffc, you're physically next to the device.
Or don't, don't nfc, go back to the, the UBI key as registered, but it, it's a very easy two A that I think that people in this time and age would, would already be willing to accept as it's like your, your digital home
so I, oh.
to the. I was gonna say the value of the asset, right? Like the average consumer out there is not as concerned. They, they may be willing to, you know, to make strides or whatever. They're just not as concerned. Like when you think about proximity, if you did something, those proximity based, somebody who used to be a high level government official and has a higher risk profile than. Somebody who's, um, you know, just never been famous.
Let's just say, I think, I think there is a, like, you don't have to worry as much about somebody trying to get into
Somebody with less of a risk appetite. Yeah.
yeah, yeah. Somebody's gonna try to get to use Bluetooth to attack somebody who's, there's just a risk profile there. Some people would be higher level targets where somebody might want to try to attack Bluetooth to, to disrupt something in their
So, uh, now it's important to note, I think for the purpose of this, of the thing that we're talking about, the regulation that we're talking about, um, they have specifically taken out of the conversation. Non password based systems. So if you're using Bluetooth, if you're using Bluetooth and NFC as a means of access control. uh, for authentication or, or to, uh, mfa, um, that, that portion is, is out of scope. So, specifically out of scope, do not include our cryptographic keys.
So anytime you're using N ffc, you're gonna be, or, or, or some, uh, you know, device, something you have or some, or something you own that's in close proximity. There's gonna be a key exchange that occurs. That's not a password. So that's outta scope. Uh,
Okay, the next
the next one. Yeah, we only got three more to go.
what's our track record here?
second one. We're about, we're running at about 15 minutes per, but we're gonna do
The, the second one is easy.
is it?
Yeah. Increase manufacturer transparency on how long products will receive security updates,
Yep.
helping the CU consumer make better purchasing decisions. Is the goal here. So basically, I guess what it's saying is I have to a, if I'm building a product, I have to, on the label or on the box, I have to say, we'll receive product updates until January, 2027.
Assuming we are still in business,
Asterisks, put an asterisk after
Yeah, so, so looking at the regulation, it is, it is a little bit easier to understand on this one. It applies to hardware and software or the combination. So that's actually really critically important, and it requires a contact person, so it relies, requires a point of contact. so many companies already maintain security at, you know, company name.com, um, or they have a a P cert or, or c cert team, uh, that's, that's sort of a point of contact or even a legal team.
Many, many, some companies have have legal as their point of contact, uh, and uh, or they have a support channel, something which is definitive that somebody can say, okay, I can report a security issue again, store or make requests. Uh, and then when somebody makes a request specifically, will get back. They need to get back at least, acknowledgement that the issue was received status updates on a regular basis.
So that's the reporting part and uh, a place to indicate how long security updates, like, like Chris was saying, we see this with, um, things like, um, Chromebooks or, or, or Android support. Right. The, there's a definitive timeline of when the last security update will be, will be applied, right. Um, so some companies already do this, um, but this is a call to action for smaller OEMs and, and ISVs to, um, to really think about this long term. That product release is not your goal. It's, it's.
product lifecycle, including to decommission and, and, and destruction.
Yeah, and, and I know where this is coming from. Like in the early days of iot, there were products that were rushed to market that didn't even have an update
Mm-hmm.
So it was like, oh, this, if it, if it's not working as you expected, you're gonna need to throw it away and buy another one. And so that I get, that's where some of this is coming from. I think if we look at the next one, the next one was a little, was a little more puzzling to me and, and maybe you guys can help me.
Oh,
Factor what's
actually, before we move on to that next one, so an interesting comment, uh, on this regulation. So in the specifically the section around, uh, around security updates. So again, somebody can make a request for, um, For how long things should be in support for, it has to be provided without any prior request, without, without costs, without requesting personal information in a way that is understandable to a non-technical reader in English specifically. So that's an, that's a
That just got a lot harder.
Well, the, the what? The non-technical audience part.
Well, no, I mean, I can't make it. I can't charge for it though. So you're basically telling me that I have to pick a date, an arbitrary date in the future, that I'll update this thing through and I have to, so I have to build that into my cost model. So that, that's, I'm gonna, I'm gonna, I'm reaching kind of a, a, so, almost a soapbox moment here.
Cause I'm realizing, I'm realizing what's happening here though is that this is gonna add, so these products are gonna have to double in cost to make something like this work because I, you know, like when I buy a new computer, I can buy an extended warranty. To support it for, for an extended period of time. Sounds like what this is telling me is I can't do that anymore.
I still have to have a, a, a base, a security level of updates that's included and that I can't charge for until I reach the end of life that I've put on the label. On the box. Is that, am I interpreting this right or am I, am I missing the mark?
So the, I'm not sure about on the box. It does say about publishing it on a website. or making it available on request. Uh, what's interesting though, what's also, also interesting here, so this, this may go, go to your soapbox moment, is as a manufacturer, if you choose and publish a date, you cannot ever make it shorter than that. You may extend it, but you can't make it shorter than that.
So if you decide, oh, we, we need to end of life this thing earlier than, than be, than necessary, um, you know, Planned ce, for instance, uh, before that target date, that's a no-no. Um, and so you really do have to plan your support resources and, and everything because again, you're gonna have to commit to security updates.
And security updates for technologies where you may choose technologies that are reaching end of life when you choose them and they go end of life after, uh, before your support date ends. Uh, or, or other factors. You know, if, if, uh, if, if you have an, if you have a website and you're in and you're using, uh, node for instance, and one of those node projects just disappears, uh, you have to plan for that and you have to be able to account and manage that.
And maybe you're doing patches on your own for security issues. So, uh, that's, um, That, that does potentially have a cost to it, but that's a, that's a cost that should have been, should have been born anyway by the engineering effort.
I am
Uh, what Are you confused? We're all confused,
It seemed to me. No, it, it seemed to me that we were on the second bullet, the one that talks about how long products will receive
are, yes.
for, and somehow we jumped to the fourth bullet, which is device manufacturers would be required to publish contact information to allow
Sorry, I, I, I brought them together because they're, they're mixed together in the same section.
Yeah. Then I went to look at the, sorry. I went to look at the, the law itself, and I, I'm utterly confused because this paragraph has to comply with that paragraph and the other paragraph, and my God, I was not born for this. But, uh, okay. At, at, at the end of the day. J just to go back to, to Chris's point is that this is going to make things
Yep.
Uh, Samsung does good that with their handsets, they say, Hey, buying this ultra whatever, and it, we are going to patch it for four years and no more. Uh, one plus does the same thing. We are going to give you patches for like the next three versions of an major versions of Android and. that didn't change their cost. So I think that I lost you on the.
I am thinking more about like, Maybe the lower end bottom feeders of the consumer product market, which maybe it'll be good if, if they're driven outta business because, but when you think about, to Matt's point about oem, right? Like if you go to Amazon, go to Amazon and search for, um, camera. Security cam, internet connected security camera. You will find 472,000 people that are companies that make internet security cameras.
There are a few that are at bubble at the top of the market like Ring, and people like that who you know, have an established track record and likely a security team behind what they do. But then there's 400,000 of them that are just OEMing to a factory and creating it, and they're creating a least common denominator product. They can sell for $17. So maybe it's them being, maybe they'll get pushed outta the market as a, as a component of this.
but look, look, look how funny how, how things now change a bit. Let's go back to what Matt said, that, uh, some board have pined that changed the, the functionality and whatnot. I remember like 10, 12 years ago, because before we have all the, the, the cams at home thing, ecosystem, I, I bought a small Chinese Amazon cologne. To, to, to do my puppy cam. Right. And it came up with, oh my God, glaring to, to the point of the last episode. I run that on it and woohoo, did I get, did I get
got actual results?
And, uh
so it wasn't useless.
I got to actual, I got actual results. Yeah. And, uh, uh, long story short, turns out that they were o aiming, uh, um, motor board that was, was used by a different manufacturer that did have their, the clue in. So I was able to bring in that firmware, open it up, change the identifiers, turn the the pin out into something that was willing to be, to be, uh, uh, uh, burned and put the new firmware in and echo. Now, now I have a new camera from new manufacturer, and I didn't pay the full price.
So the, the point is even if we get to a, to a, to a point where some. the tail end of the manufacturers would fall because that would become too costly for them or because they don't even have a a, a software capability at all. They just get this generic blob, change the strings, change the logo, and pass it forward. Then don't care.
So either it's going to, to separate industries and create this firmware thing where they do all the, the regulations and whatnot, and pass that cost to the, the guy who's OEMing the thing, or it's going to fall into the customer to, much like I did, figure out what is it that they paid less for. or make the, the, the conscious decision of saying, I dunno how to do this stuff, so I'm going to pay more
let's be honest, how many, what percentage of the world can do what you just did?
So those people are going to be the ones paying more and living behind those, those uh, uh, makers that are not willing to put up with the cost of security. So it's going to clean up the
Well, so we don't know. I don't think we, I don't think we know what the penalties are for non-compliance. Is that not allowed to be sold or is that some massive amount of fines?
Let me ask the V count, but, uh, e, e e, even if there aren't any penalties, right? Even if there aren't any, I think that the, the, the market forces, the crews are describing are going to force people out of the, the market. And I think that that's a, a net positive.
consumer behavior drives us, I think more so than, than, I mean the market, the market, the market for high, high security in the general population, a a $10 camera versus a $50 camera if you get the same functionality. And the only difference is whether they have a security team behind them. I imagine people are sold by the $10 camera.
I am going to take some of Chris' optimism here. and sort of throw it out there that in this time and age where you open any newspaper and you have second page, uh, the baby camera started to talk in a very eerie voice, and I don't know where it came from. People are waking up to the fact that these devices are. you know, more powerful than, than we usually give them credit for.
So I want to believe that our job is going to eventually be made easier because market forces are going to ask for more security. And I would even say without knowing that if the UK went forward and came out with this kind of bill that goes and and puts product security smack in the middle of the thing, it's because their public is already asking their politicians to do something about it.
Hmm.
So it's a different kind of market force. Politicians don't wake up in the morning and create customer protecting bills just because they, they're nice. They got forced to it.
yeah, yeah, that's true. When you think about the average politician, they're not, they're not security people like we are. They're not driven. They're not gonna, they're not gonna try to, you know, increase the greater good of, of the technology landscape by pushing things forward. Somebody's in their ear. Telling their, or paying for the, for paying for this influence in some way. Now. Now I'm not so optimistic anymore. What just happened? How did I, what happened? That's true.
We did have a good conversation with Adam Schostak about, uh, some, some other things that, uh, yeah, that's, that's a good point. May have, may have brought me down in that, that quick little, uh, that quick little thought process there. Well, how about the last one? So this one seems tough to, to have a, to be against because I think most people in the market are doing this now. But device manufacturers will be required to publish contact information to a lot of vulnerabilities.
Matt mentioned it a little bit earlier, but. I mean, I can't think of a major company that I use a product for them that doesn't do this now. Like this seems like, so 1990s of a requirement, like in the 1990s, we didn't have this. There were still a lot of companies in those days that had security at addresses. Um, but I feel like in 2023, does anybody not have security at their company routing to somebody who can listen.
You know what's funny? I, I even, I, I look at the other side of the thing. Having, having been at, uh, the receiving side of a number of, uh, bug Barney, uh, campaigns for. even the, the, the, the, the people who are doing the they themselves don't think about emailing security at what, wherever. So it may be that by, by crawling on people's ears, we got companies to, to have this, this even sort of standard security at whatever. But the, the, the consumer side is not educated to that.
And.
So I think that this is one of those that goes like to, to both sides and, and clearing up that channel. And hey,
And, and I think that this is, so there's talk, talk about cost here. Um, it's one thing to have a, an email like support, you know, supported company X, y, Z, right? So you have a vehicle. Now I know from, from experience, from from working in a couple of companies that do consumer products that. support channel, they may not be fully aware of how to handle a su a security issue. They may not have people on staff initially to handle that.
So you have to have people who know how to handle security issues recognize that something is a security issue, right? Cuz somebody may say, you know, may report something in a way that is very technical, but isn't recognizable to the support person as, oh, this is a security problem as opposed to a customer support problem.
Mm-hmm.
The law, the regulation is very particular here and, and the important part is not actually having a point of contact. The, I think the important part is that there's a receipt of an acknowledgement that, that a report was made and that regular, ongoing communications is made. on the status of that issue. Right? And that's I think where companies, especially companies that are not well funded, that don't, that, you know, these run these, you know, 400,000 on Amazon companies, right?
May not ha, may not have the facilities to do this on a regular basis. They, they can barely do it for support issues. In some cases, you know, if you call up and I say, you have a bug, or I can't get the device online or something, but now you're gonna have to do this for managing a security issue. The other challenge. Is again, it needs to be, uh, without gathering personal information from the submitter and free of charge in English.
So you have, uh, you have challenges of most people that, most companies, I think, that supply support. Don't do that for non-customers. Meaning they wanna know who's making the report. You know, is it one of our devices or is it one you have a support contract for? Or you know, or have you bought a subscription, not random person submitting a vulnerability report and then having an ongoing conversation with them?
Yeah. I do have a, a thought here that I'd love to get your guys' take on this. Does anybody even report security vulnerabilities to security at anymore, like in the world of bug bounty? It's because I, I mean, I remember security app back in the day when there was Bug bunny didn't exist yet. And so people were using it to report things to Cisco, for example. Or even the web hosting company Exodus that I worked for. People would report security issues.
You know, somebody's D dossing me from your IP address range would come to security app. But I mean, it sounds like you got, I mean, just by looks in your faces that nobody's using security ad
It
no, no, no, no, no, no. Wait, wait,
occasion, I think still, uh, and I'll just say a couple years ago, I, I think as of a couple years ago, was, that was true.
Let's, let's go back to dust
Oh God.
I, no, no, no. Wait, wait, wait, wait. This, this is good. This is good. This is good. On, on the last place that I was, that, uh, I, I had visibility on the, the bug bounty. We would commonly get, uh, uh, emails directed at security at where have somebody usually in horrible English saying, uh, that. They had, uh, identified a missing header on an H, whatever, right? And that, uh, they were interested in knowing if there is a bounty available.
So they, they, they don't even have the patients to go to the places and see if there is a bounty available. They just blow everything that comes out of the desk into security at and, but bodies pray and
and realistic, I think we're, we're using security.
our value
using security as at, as a, as a placeholder, I think for, and Twitter and Facebook, and, you know, et cetera. All the, all the means by which, and, and by the way, a lot of companies have support for, you know, community support forums, right? They don't offer regular support, so they have a community site. And so somebody's submitting a, a vulnerability report through a community site. Hey, I found a vulnerability. How do I report this to you? Responsibly or Here's the exploit code.
Publicly available now, posted online to lots of community support or Reddit or whatever.
bef. Before we, we run out of time, uh, the, we, we are talking about how things are going to be reported and, uh, all that good stuff. But it says, what is it that has to be rep that can be reported, right? So there is, uh, four bullets harder of the product. Fair enough software that's pre, pre-installed in the product. Fair enough? Uh, software which must be installed on the product. For everything to work.
So something that a customer has to install into the product for to get the whole functionality. Fair enough. And then the four fourth one, software used for or in connection with any manufacturer's intended purpose of the product, unless the product is a smartphone or a tablet computer capable of connecting to networks. So to me, that reads a bit like, Hey, we can start. Reporting, uh, uh, third party libraries into, to, to, to vendors, and they are expected to do something about it.
Or am I reading too much
I think, uh, I think that's a confusing wording. Um, software used for
Or in connection with
manufacturer's intended purpose, unless the product is a smartphone or tablet.
and, and what's special about smartphone or tablet? Computer capable of connecting to seller
That is an interesting call out. Yeah.
You can talk about everything unless it's a, a smart, uh, what's the name? Snap. Dragon Don't, don't talk to us about the modem in your device. What, why, why is that a thing?
Well actually the modem is in soap. The modem is hardware. It's only the software that may use that modem that may be outta scope.
Oh, good point. Is firmware software
Yes.
Yes,
then.
it is.
Then you can't talk about the former firmware on the,
It's an interesting, it's an interesting call out. Why, specifically devices that go that connect to cellular networks?
I smell
it may be that those are, it may be those, those are covered under another regulation that we're not, we're not up to speed on
They, they did not discuss this in the last we count, uh, meeting. I, I, I smell conspiracy. Something to do with six g.
the Minister of Artificial Intelligence in protecting intellectual property for security table smells a rat somewhere. So, With that, we're out of time for this episode. Uh, it was fun to bounce through and, and think about these things. I think in general, we landed in support of most of them, maybe with a few questions or clarifications on, uh, some of the things they're doing. Uh, but hey, Matt's looking quizzical, like he didn't agree
no, no, no. I'm just looking to, now that I understand the law better, uh, there's more exceptions and we could talk about that at length, but, uh, not now.
There's always exceptions to, to every, that, that's the, the, the, the devils in the details or the exceptions is, is what I think we'll
Wait for the book and the expose from the V count
Vic count.
on the conspiracy of why not smart.
for Vic Count, za, and just regular Matt, we're signing off on the security table. Thanks everybody for listening.