Who? March 10, 2020 4:28 AM

This casebook is an interesting reading for sure. We need regulators acting in support of customers (either individuals or business) but I guess it will never happen; hardware/software/firmware manufacturers should be required by law to provide security fixes for ten years at least; even twenty years for widely deployed products (e.g. microprocessors or the management engine (ME)). It does not make sense at all Intel withdrawing a “feature” like ME we cannot opt-out because it is four years old. It is a dangerous practice and should be banned. Corporations following these bad practices should be punished.

It does not make sense corporations like Intel withdrawing processors like the Core 2 series either instead of developing microcode to fix modern processor bugs. Corporations should be required by law to design secure devices, even if proven vulnerable at a later stage.

I think an EPA-like agency will not be helpful to achieve this goal.

andrews March 16, 2020 2:08 AM

Corporations should be required by law to design secure devices

I have seen precious little that would give me confidence that government would have competent regulators. Even well-intentioned regulators are hardly a given (consider FCC, EPA), and competent is harder to come by.

Then, too, how do you write a regulation that accomplishes this? Simply mandating that there will be no bugs seems rather optimistic. Requiring an update mechanism for a part that may be embedded in a server shipped to [remote country] or installed in a military base is also problematic.

I doubt that anything useful happens until someone manages to make out a case of negligence for some horrible flaw.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.