D-Link must suffer indignity of security audits to settle with the Federal Trade Commission Taiwanese networking equipment vendor D-Link will have to submit to a decade of product security audits after agreeing to settle a lawsuit brought by the US Federal Trade Commission. It has also pledged to maintain a "comprehensive software security programme" for the next 20 years, designed to make its IP cameras and routers …
A company that claims its routers are secure and does not take any of the generally accepted practices for ensuring security should be banned from doing business.
D-Link got off rather lightly. Maybe we have to depend on our estranged neighbors from across the pond to stuff GDPR down their throats. Our tools and our organizations are too weak.
"A company that claims its routers are secure..."
The claims were in marketing for sub-$100 products targetted at consumers where they tried to balance ease-of-use, functionality, security and cost.
In many basic tests, they do seem secure as long as the consumer takes basic steps (i.e change the default password, don't enable inbound access and leave UPnP disabled).
While I can understand your desire for more security, there will continue to be a place for less secure products that are cheaper or more functional.
And if they start prosecuting companies for lying in marketing materials, where will it end?
The problem with this particular case is where do you draw the line on security? At what point does the vendors responsibility for a product end and a customers responsibility start when considering the security of a product?
The vast majority of DLinks products are pretty much par for the course in their respective markets - they are towards the lower cost end of the market and aimed at less technical users BUT have features that can be enabled to allow customers to do non-standard tasks. While I wouldn't recommend a DLink product, I have helped others reconfigure products so they work as required and there has been nothing too alarming in what I have seen.
It's all very well treating the world as black and white, but the reality is that most products and their associated marketing is a shade of grey that varies significantly based on the circumstances.
@AC "In many basic tests, they do seem secure as long as the consumer takes basic steps (i.e change the default password, "
Um, from TFA: "Back in 2017, the FTC accused D-Link of [...] the use of non-removable default passwords in its IP cameras,..."
Last time I bought a D-Link product it wouldn't stay running for more than a few minutes when connected to the Internet. Most TP-Link, Cisco, and Netgear haven't been any better. That's no value at any price.
"prosecuting companies for lying in marketing materials" - Very long overdue in the tech industry. I get tired of returning everything for a refund because it can't even do what's printed on its box or tech support says it needs an update that will be out "soon."
Once upon a time, after a firmware update, my D-Link hijacked all DNS to point to its ParentGuard trial subscription offer. Tried its best to obfuscate how to opt out. And made sure you couldn’t look it up since world and dog domains always resolved to their exact page.
Toxic piece of shit tech by a terminally incompetent company with the morals of rutting hyenas.
Maybe we need official ratings for features like security (e.g. 1-5 stars?) so people know what to expect.
Many of us would know from experience to rate D-Link with 1-2 stars ("cheap and kind-of works, but don't expect too much, like security").
But buyers shouldn't have to base their decisions on experience.
"D-Link argued that it shouldn't be on trial, since no actual customers have been harmed"
There might be a few cases where their customers threw the product against a wall and were hurt by the shards flying around. Or perhaps they vented their frustration by biting on the router and breaking off a tooth. It would be interesting what that company understands under "harm". Being hacked doesn't seem harmful enough, it seems. Or do they consider that all their customers are private suckers that have no way to prove any "harm"?
So a company that has documented history of security violations and failure to comply with federal directives gets told to sort itself out (again). Yet a company that doesn't have such a history gets pulled from the US on the basis of "whispers and suspicion" ... welcome to the proof that the China trade spat is nothing to do with security.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
