back to article California cracks down on Internet of Crap passwords with new law to stop the botnets

Anyone manufacturing an internet-connected device in California will, from 2020, have to give it a unique password in an effort to increase overall online security. That's the main impact of a new bill recently signed into law by Cali governor Jerry Brown, SB-327 called "Security of connected devices." The law is the US state …

  1. Anonymous Coward
    Anonymous Coward

    IoT & Patching - The bigger picture issue is Trust is Dead

    With IoT, every device has a potential secret agenda, not in your interest...

    State actors see IoT as a target to be acquired and tracked. Hackers as well, but for hijacking / extortion / DDOS purposes etc. Commercial firms see consumer IoT devices as a means for getting 'consumer intel' (Vizio-TV's etc). All of them see IoT devices as merely 'rented to you' for the purpose of different types of Monitoring / Tracking / Surveillance.

    Even if a WebCam manufacturer offered timely updates, would you trust them coming from China or Vizio-HQ etc?

    What we have basically is Intel-Management-Engine meets Adobe-Experience-Cloud in one package. Or lots of sneaky anti-consumer practices underpinning tech and fundamentally eroding trust. Even if open standards were followed at hardware and OS level, and you could get all your patches from a website you trust sha256 verified etc... There are just too many bad faith actors out there wanting to distort the process. Who can you trust? For this reason the entire premise of IoT is for sht!

    1. Anonymous Coward
      Anonymous Coward

      Re: IoT & Patching - The bigger picture issue is Trust is Dead

      https://www.theregister.co.uk/2018/05/08/adobe_hyper_personalisation_and_your_privacy/

      https://www.theregister.co.uk/2017/02/06/ftc_spanks_vizio_for_slurping_viewer_activity/

      https://www.theregister.co.uk/2017/05/05/intel_amt_remote_exploit/

    2. DaLo

      Re: IoT & Patching - The bigger picture issue is Trust is Dead

      Trust may be dead for some devices and by some technical people but the average consumer will go on amazon, buy a cheap device install it, download their app agree to 501 permissions required and put it on their network.

      Why are they to know any better? There is no mandatory test and qualification required to buy a IoT device, they don't presume the ones on sale are dangerous.

      As well as extending this bill to a larger are (e.g. all of the US or all of the EU) where every manufacturer would be forced to comply, as the author states it should be extended and certified further. A beep for an update will not work as very few cheap IoT devices ever get updated out of the factory.

      I suggest:

      # All devices need to have security assessment to provide a test of the device based upon current most likely threats. Devices must pass this and be certified before going on sale.

      # All internet connected - or connectable - devices have a grading which shows a length of time in which they guarantee updates for a device. All source code is held in Escrow in case the supplier goes under in that time.

      # Any security threats discovered in a device during its service guarantee time must be fixed in a standard length of time based upon the severity

      Therefore the customer can understand that by pay $5 for an IoT device there are likely to only get 1 year of usable life from it, someone who pays more might get a much longer guarantee.

  2. the Jim bloke
    FAIL

    Any device manufactured in California..

    Well, thats going to help a lot.

    1. IceC0ld

      Re: Any device manufactured in California..

      Any device manufactured in California..

      Well, thats going to help a lot.

      ======

      it's a start, and bear in mind that California, on its OWN is the WORLDS 5th largest economy, it is quite a start too, but as El Reg has pointed out, they have gone for low lying fruit, and there were better options available :o(

    2. bombastic bob Silver badge
      FAIL

      Re: Any device manufactured in California..

      "Well, thats going to help a lot."

      Ack on the snark. (you WERE being facetious, right?)

      The laws of 'unintended consequences' are the usual result from the "legislate yet another law" crowd, who claim good intentions. But coming from Jerry Brown and the Sacramento legislature [one of the most corrupt organizations on the planet, where paid lobbyists mull about on the legislature floor waiting to be 'consulted' on EVERY!THING! before it's voted on] I can expect an 'ulterior motive'.

      Cali-fornicate-you gummint can only affect California corporations and residents. And they can NOT stop competing products coming in 'at the border'. So you'll probably see a couple of things:

      a) a drop in the quantity of things being built within the California borders;

      b) an increase in prices to the consumer;

      c) overly-complicated setup processes if "just firmware" is involved in this regulation;

      d) all of the above

      Some of this was alluded to in the article, but I'll just say it straight out: the more governmentium and petty regulation, the LESS PRIVATE SECTOR ACTIVITY you will see. Because it costs the legislature NOTHING to "pass yet another law". It only costs those who are AFFECTED by it. That would be everybody else who is NOT THEM.

      (My state needs an enema, starting with that crap-hole called "Sacramento")

      I'd also like to point out, for the record, that all of the cheap IoT junk being sold on E-bay and Alibaba won't be affected by this. And I wouldn't be surprised if THAT stuff is MOST of the problem...

      1. A.P. Veening Silver badge

        Re: Any device manufactured in California..

        @bombastic bob

        You seem to have overlooked the minor detail that no devices are actually manufactured in California. Even the devices manufactured for California based companies are manufactured in countries like the PRC and Vietnam (Thailand is already to expensive).

        1. bombastic bob Silver badge
          Meh

          Re: Any device manufactured in California..

          "no devices are actually manufactured in California"

          OK technically you're right. but for a 'California corporation' that outsources the actual building of the thing, then does final assembly and test in California, it may still 'count' as 'made here'.

          I guess I'd have to see the nuances of whatever was excreted from Sacramento's "law factory"...

          [knowing them, they thought of this already]

    3. sanmigueelbeer
      Facepalm

      Re: Any device manufactured in California..

      What a waste of effort for something that applies to bugger-all.

      The author (of the law, that is) might as well add that this law is applicable to devices that are pointing northerly direction.

      1. Phil O'Sophical Silver badge

        Re: Any device manufactured in California..

        What a waste of effort for something that applies to bugger-all.

        Are you sure? Read the text of the bill:

        (c) “Manufacturer” means the person who manufactures, or contracts with another person to manufacture on the person’s behalf, connected devices that are sold or offered for sale in California.

        1. Doctor Syntax Silver badge

          Re: Any device manufactured in California..

          "the person who manufactures, or contracts with another person to manufacture on the person’s behalf"

          It still doesn't apply to devices on sale from non-Californian manufacturers even where manufacturer is defined as above. Selling or offering for sale would be a better target. The killer blow would be forbidding the connection of an insecure device to the internet with liability on both the owner and the ISP. If a customer is found with an insecure device facing the net the ISP would be obligated to disconnect them until the device is removed. That kills the market for such devices.

    4. Anonymous Coward
      Anonymous Coward

      Re: Any device manufactured in California..

      It doesn't say that the device has to be manufactured in California, only that the "manufacturer" has to be a California company. Apple contracts out the manufacturing of iPhones, so are they are exempt? They manufacture iMacs in Ireland, but probably via a subsidiary called "Apple Ireland" or whatever - so are iMacs exempt or not?

      If Microsoft manufactured Surface devices themselves (I'm pretty sure they don't, but just as an example) are they not considered a California company since they are based in Seattle? Or does the fact that they have offices in California make them a California company?

      Seems like there's a lot of uncertainty in who this would apply to - uncertainty that would be worked out in court so it would be years before it applied to anyone.

  3. Anonymous Coward
    Anonymous Coward

    Simples

    Password1

    Password2

    Password3

    Password4

    ....

  4. Maelstorm Bronze badge
    Big Brother

    The problem...

    There are several problems with this. Let's go down the hit list, shall we?

    1. As the first commentor stated, trust in IoT is dead, and for the reasons given.

    2. IoT devices are made to be cheap, get flung out the door quickly, with security as a second though.

    3. The reason behind #2 is every manufacturer wants to be first to market with a device, so the software people don't have enough time to fully test and secure the product before it is shipped.

    4. The average lifetime of an IoT device is about (guestimate) 18 months before manufacturers no longer support it.

    5. This bill, although it is a step in the right direction, is misguided for several reasons. Those are enumerated below:

    5a. Most of this hardware is manufactured oversees, which means that the law won't even apply to most.

    5b. For those who do manufacture the hardware here in California, you are going to significantly increase the costs to the manufacturer. They will need someone to program a password into each device (or generate one automatically), and then print more, unique documentation because now the passwords between the devices are different.

    5c. Hope that the person who is typing in all these passwords gets it right.

    6. How are you going to enforce this? Have the state become a nanny? More so than it already is? Sorry, I'm tired of the nanny state. I don't need Big Brother telling me what I need to do to improve the security of my devices.

    A much better way to do this is to educate the public on the security issues. Make it part of the public school education curriculum. That way, everyone will at least be aware. However, that will not help when you have a IoT Tea Pot with a default password of 000000 that cannot be changed...

    1. Charles 9

      Re: The problem...

      " How are you going to enforce this? Have the state become a nanny? More so than it already is? Sorry, I'm tired of the nanny state. I don't need Big Brother telling me what I need to do to improve the security of my devices."

      Hell yeah you do, or else someone ELSE will take you with them. Or would you rather be living in the Gilded Age (Upton Sinclair's The Jungle, anyone? Sweat shops?) where robber barons did what they wanted and made or bribed governments to turn a blind eye? Which would you prefer: anarchy or the police state? Because the natural human tendency won't allow anything in between to last for very long, if the current global situation is any indication.

      "A much better way to do this is to educate the public on the security issues."

      In case you haven't noticed, we've been trying. But unless it's something that'll KILL THEM, they won't listen. You can't educate someone who doesn't care. Remember, we're talking the Facebook generation where people WILLINGLY give out all the information miscreants need to steal their identity...and feel they NEED to do it to maintain their oh-so-important social circles. Unless you propose some license to have kids, this will only continue.

      1. A.P. Veening Silver badge

        Re: Education

        You may have been trying, but with the current American educational system, failure was already guaranted.

      2. Mark 85

        Re: The problem...

        Or would you rather be living in the Gilded Age (Upton Sinclair's The Jungle, anyone? Sweat shops?) where robber barons did what they wanted and made or bribed governments to turn a blind eye?

        I think we are already there. The lobbyists run state and federal governments.

        Which would you prefer: anarchy or the police state?

        Currently, it would appear that we are headed towards a police state because the anarchists are to be feared and government has pounded that into everyone's head.

        Sadly, we the people, don't have much choice in who we elect nor do the candidates seem to have much freedom to do what we want. Between government pressure to "think of the children", "terrorism", etc. and lobbyist bribery, we're screwed. Perhaps a revolution might occur but it would end in anarchy due to the fragmentation by various political groups. The old saying "divide and conquer" is working very well here in the US. And to the naysayers, I say "look again". Black vs. white. Haves vs. havenots. Even the political parties are fragmented in many ways other than "left vs. right".

        The problem needs to be addressed at the grass root level wherein the people realize how badly they are being manipulated, used, and abused even within their own factions. The problem is how to get them to think beyond their own noses and look at what really needs to be done for the greater good.

        Lastly, yes.. the Facebook generation... <sigh> along with "hipsters" or whatever that only think about the next shiny to buy.

    2. Alienrat

      Re: The problem...

      > They will need someone to program a password into each device (or generate one automatically), and then print more, unique documentation because now the passwords between the devices are different.

      I think it is not uncommon for a lot of routers I have seen to have the default password printed on a label on the bottom of the box. These passwords are put on automatically during manufacture. Its not done by hand and it doesn't seem that tricky

      1. Prst. V.Jeltz Silver badge

        Re: The problem...

        They will need someone to program a password into each device (or generate one automatically)

        NOPE , didnt you see option B?

        "a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time."

        So , a tiny mod to make user reset adm password on login - job done.

    3. Doctor Syntax Silver badge

      Re: The problem...

      "They will need someone to program a password into each device"

      There is an option to force the user to secure the device with its own password before it will become operational.

      "I don't need Big Brother telling me what I need to do to improve the security of my devices."

      Frankly I don't give a toss whether you take any steps to secure your devices at all. What I do care about is you exposing an insecure device on the network where it can be weaponised to attack me or anyone else. If it takes legislation to force you to do that, then so be it.

    4. Prst. V.Jeltz Silver badge

      Re: The problem...

      @Maelstrom

      1 . Irellevent - hey this will bring trust back!

      2. yes - now with unique passwords

      3. force Set password at first use = easy way, no lead time

      4. so what?

      5a. if manufactured on orders from Cali - yes it does , besides its no big deal to implement

      5b. the shit will still be manufactured in taiwan , with the no issue "force Set password at first use" added

      5c. see 5b

      6. its bloody obvious common sense , realised by unix community decades ago when it occured to them they should get the admin to change the default admin\admin password at first use. and thats a free os.

      1. Charles 9

        Re: The problem...

        It may be a free OS, but it's not a consumer OS used by people who who wouldn't know a password from a potato, expect things to work out of the box, and simply complain, "This trash is broken! I want a refund!"

  5. Herby

    But will they give out the "unique" password?

    Let's say I have an older device that has been idle for a while, and I want to re-purpose it (or some other activity). The vendor has nicely provided a "factory reset" switch. I go through the process and connect y nice browser to the device in question. The nice online manual indicates that if I give a call center a nice multi character string, they will give out the factory password.

    Ah, there is one problem. It has been a while, and they vendor no longer supports this model. They just don't have said password, or the algorithm to get it.

    You have a brick. Have a nice day.

    Yes, this happened to me. I lucked out in that the user (a friend) remembered the older password, and all was well again. But still......

    1. Spoonsinger

      Re: "and they vendor no longer supports this model."

      Car manufacturers manage to support giving out radio codes for years. (I mean years. I have done it for a 20 year old Volvo in the past). I assume there must me some legal reason, (other than goodness of their hearts), which could be used as a template law for said IoT devices.

      1. Chris Evans

        Re: "and they vendor no longer supports this model."

        Car manufacturers expect their products to be in use for a much longer time and they also have the revenue stream from spare parts which can be more profitable than the initial sale.

        Now if only technology companies could get involved in 'The Circular Economy' Where things are designed for longevity and repairability! www.wrap.org.uk/about-us/about/wrap-and-circular-economy

        1. Charles 9

          Re: "and they vendor no longer supports this model."

          Microchips are too small for that. At least you can use a wrench in a car. Plus component manufacturers are in cutthroat competition with each other, so the bottom line is critical for them.

    2. Prst. V.Jeltz Silver badge

      Re: But will they give out the "unique" password?

      You have a brick. Have a nice day.

      Then you press the teeny button on the side , and device reverts to defaults , complete with "set your

      own unique password at first login" reactivated . job done .

    3. Doctor Syntax Silver badge

      Re: But will they give out the "unique" password?

      "You have a brick."

      Next time buy something that handles such stuff better.

      1. Charles 9

        Re: But will they give out the "unique" password?

        And if there AREN'T any?

  6. Pascal Monett Silver badge
    Stop

    No need for a unique password

    It seems everyone is fixated on that point, when the article clearly indicates that another option is possible : forcing the user to change the default password on setup.

    So no, there is no need to have a device-specific manual or anything else. Every manual is the same and printed the same way, it's just the consumer that has to change the password on setup and not forget it. Then curse and snarl six months later when he forgot it and needs to to force a reset on his IoT thingy.

    1. Charles 9

      Re: No need for a unique password

      Which means companies get complaints and lose customers because You Can't Fix Stupid.

      1. Doctor Syntax Silver badge

        Re: No need for a unique password

        "companies get complaints and lose customers"

        If the playing field is level the only place for a customer to go is someone selling something that behaves the same way. See my comment about some not learning except by experience.

        1. Charles 9

          Re: No need for a unique password

          And what of those who won't learn even BY experience?

    2. Doctor Syntax Silver badge

      Re: No need for a unique password

      "Then curse and snarl six months later when he forgot it and needs to to force a reset on his IoT thingy."

      Experience is a dear teacher but there are those who will learn at no other.

  7. Whitter
    Meh

    Broken updates

    Who's going to take the chance that their house's power system goes down after a borked security patch to the "smart meter"? Could Joe-punter rectify the situation if it did happen? In general, no. How big are the test teams working on IoT updates? Ermm.. about as big as the team making them; likely zero.

    1. DropBear

      Re: Broken updates

      Which is why I flat out would not buy any device that _forces_ me to apply updates by whatever means. That is not to say I would never want to apply an update to a device, but the thing is a lack of updates may or may not have actual consequences for my specific device depending on its specific circumstances (it more likely won't though) whereas any update may or may not break functionality I depend on (and it more likely will - most updates I applied to a device did break _something_). And at this point, I'm done dealing with things breaking - if I can't rely on it to work untouched 5-10 years, I don't want it. Life is literally too short to keep dealing with the endless amount of stuff that wants to be maintained each time the direction of the wind changes.

      1. Charles 9

        Re: Broken updates

        "And at this point, I'm done dealing with things breaking - if I can't rely on it to work untouched 5-10 years, I don't want it."

        So what if the ONLY things available ONLY last that long? Do you throw your arms and say, "Stop the Internet! I wanna get off!"?

  8. David M

    Not in anyone's interest

    Part of the problem is that if, say, all your lightbulbs get recruited into a botnet, the manufacturer doesn't care as they've still sold some lightbulbs, and the owner doesn't care as the bulbs continue to work. So there's very little incentive to do anything about this. Plus many people have had the experience of a device getting worse or completely broken by a software update, so may be reluctant to do it unless there's an obvious benefit. Any solution will have to make the cost of being hacked significantly higher than the cost of security, for both manufacturer and owner.

    1. Charles 9

      Re: Not in anyone's interest

      Well, you can forget holding the manufacturers to blame because (1) they'll probably be protected by hostile sovereignty, and (2) if push came to shove, they'll do a fly-by-night and disappear, or (3) find a way to lawyer their way out of it.

      As for consumers, security = PITA, so unless you can come up with something worse than a PITA that can survive a court challenge for unreasonable expectations, search, or seizure, any attempt will generate serious pushback.

      1. Doctor Syntax Silver badge

        Re: Not in anyone's interest

        "security = PITA, so unless you can come up with something worse than a PITA"

        Make insecurity a bigger PITA.

        1. Charles 9

          Re: Not in anyone's interest

          But INsecurity = convenience. It's QUICK, it's EASY, it lets people get on with their G.D. day! That's gonna be hard to beat.

    2. Doctor Syntax Silver badge

      Re: Not in anyone's interest

      "the owner doesn't care as the bulbs continue to work"

      The owner will care if the law obliges the ISP to cut them off from the net. Next time they'll buy better light bulbs. Even if, by that time, the original vendor is making better light bulbs they'll find they have lost reputation.

  9. Anonymous Coward
    Anonymous Coward

    Where's the master list of passwords kept ?

    because how else can you know - and prove - they're "unique" ?

    1. Spoonsinger

      Re: Where's the master list of passwords kept ?

      Flimsy Backdoor Industries will keep the list. You know they can be trusted.

    2. vtcodger Silver badge

      Re: Where's the master list of passwords kept ?

      Password is the same as the serial number.

      Bet on it.

      1. Anonymous IV
        Thumb Down

        Re: Where's the master list of passwords kept ?

        Presumably all these passwords have to be submitted to some Californian Registry Body, so that they can be assessed for strength.

        (And, of course, for no other reason...)

  10. Prst. V.Jeltz Silver badge

    Well ive seen a whole lot of bitching and moaning up above about percieved issues with this iniative.

    Cant say I agree with any of them , its an easy and simple improvement to make* with no security implications beyond ones that are always there for all things.

    *especially if going the "set yer own pwd at start" route

    1. Charles 9

      Unless there are too many instances of customers complaining about setting their passwords and then forgetting them. Last thing any company wants is a bunch of "This trash is broken! I want a refund!" complaints.

  11. Anonymous Coward
    Anonymous Coward

    What a stupid bill

    So they randomly generate a password and print it on the back of the device - like they already do on many wifi routers for the default SSID/password. Meaning that if the label is damaged then you're screwed if you have to reset the device to default. You're also screwed if you don't have easy physical access to it or it is too small to have a "label" on which to print the password - which will be the case with many IoT devices.

    What does it mean for phones, is Apple going to have to ship iPhones with a unique default password instead of like they do now where they are totally open when you unbox them? Is Apple supposed to print that default password on the back of the phone, or put it in the box? Good luck buying a used iPhone without the original box I guess! If it is on the back of the phone, better hope it isn't one of the newer ones with a glass back, and that the glass back didn't break and get replaced!

    All they need to say is that you need to be forced to reset the password from the default in order to use the device. i.e. if you sell a wireless router with default admin/password login, until you actually login to the GUI and reset that password, it will only allow one device to connect to the router and it'll force it to a page where you have to change the password.

    1. Doctor Syntax Silver badge

      Re: What a stupid bill

      "All they need to say is that you need to be forced to reset the password from the default in order to use the device."

      Great idea. That's why the bill makes exactly that provision.

      1. Charles 9

        Re: What a stupid bill

        "Great idea. That's why the bill makes exactly that provision."

        But it can result in unintended consequences for people too expectant of plug-and-play. They'll start complaining "This trash is broken! I want a refund!"

        1. strum

          Re: What a stupid bill

          >They'll start complaining "This trash is broken! I want a refund!"

          And they'll be told to make a password, and it won't be broken (and if the punter still complains, the seller can blame Jerry Brown).

          There does need to be some degree of personal responsibility.

          1. Charles 9

            Re: What a stupid bill

            To consumers who can't memorize their PINs to save their lives? HAH!

            "There does need to be some degree of personal responsibility."

            AND there needs to be an understanding some people have really, REALLY bad memories.

  12. mark l 2 Silver badge

    I don't see why IOT devices can't have all of them shipped with the same default admin password but the devices won't function until this is reset by the user to one of their own choice.

    There is a real problem in today's society that electronics are seen as consumable devices which can be thrown away and a new one purchased in 18 months time so manufacturers have no incentive to support them once they have sold them.

    I like to keep my IT equipment going until it either no longer works or is no longer fit for purpose. And so I have two 10 year old Dell computers that I use daily (dual booting between Windows and Linux mint) a Pentium 3 based boxed used as a freeview recorder media box, an old Android tablet with HDMI output which i use as a media player for a bedroom TV. And even a 30 year old Amiga which I reckon will still be more useful in 18 months time than most of these IOT devices currently on sale.

    1. vtcodger Silver badge

      Given that your IOT connected toothbrush likely has a rather limited UI -- one button -- entering a password may be challenging. Changing that password, even more challenging.

      1. Charles 9

        Well, how does your IoT toothbrush interact with anything, then, if there's no way to input it?

        1. 2Nick3

          Why in the world does your toothbrush need to be online? It's a piece of plastic with bristles at one end. The electric ones that live on their chargers really don't need to send you a notification when they are recharged, do they? Or do you need a model that reports to your dentist how often you brush, for how long (on each tooth, right?), with how much pressure (on each tooth, again, because why not???).

          Yeah, a brush that tells you that you are pressing too hard (or soft) with some kind of audible notice would be reasonable, or that tells you when you've been on an area long enough, but can anyone really justify why it has to be online to do this?

          Just because you can doesn't mean you should.

          1. vtcodger Silver badge

            Internet connected toothbrush? Of course it's a bizarre idea. But apparently you actually can buy one for about $200. And if I try, I can come up with a very few somewhat legitimate use cases. Maybe a controlling mother making sure her kid brushes his/her teeth (or at least turns the gizmo on) while at summer camp.

            Overall, with the exception of routers, some entertainment devices, and surveillance cameras, I think most of this junk is probably useless or worse. But apparently my (and your) opinions don't count. It's going to be made, touted, and possibly even actually purchased.

        2. vtcodger Silver badge
  13. Anonymous Coward
    Anonymous Coward

    The problem is the lack of interoperability and central management.

    Such devices should be built around standards that allow for interoperability amd central management - think about a Nagios-style dashboard telling you which devices are operative, which not, which have a low battery that need replacement, and which need an update. Even better if the central management can download updates and feed them to devices.

    Obviously, in the actual landscape, that's just a dream. Each damned devices is designed to be cheap and proprietary, requiring its own app (and hope it will work when you upgrade your mobe), while slurping whatever data it can from you, and sending it directly to the mothership.

    I'm not going to install them as long as I can't have something as outlined above - a bunch of hard to manage devices is not what I need.

  14. iron Silver badge
    Flame

    "Battery powered smoke alarms go off every year when the battery runs out – what if other devices emitted a similar alarm once a year, requiring you to check and install any updates before the noise stops?"

    That device would be thrown out of the window and the manufacturer black listed. Smoke alarms generally go off at 4am, when I'm sleeping, and I'm very angry when woken early.

    1. Charles 9

      Most of them don't blare. They just start giving short chirps every so often: intended to just be annoying and eventually get your attention. Given your average 9-volt gives the thing 5-10 years of normal use, it's infrequent enough that it hasn't given manufacturers many black marks in the past.

    2. vtcodger Silver badge

      Unless your household heating is exceptionally good and you ignore the pleas of authorities to turn the heat down at night, the middle of the night is likely to be the coldest part of the "day". Cold batteries generate less voltage than warmer ones. The warning beeps are probably based on battery voltage.

      Obviously, what you need is an internet connected battery warmer in each of your smoke detectors. And apparently they need a password and regular software updates. Fortunately, the geniuses in Silicon Valley will probably solve this challenging problem Perhaps they will come up with an IOT smoke detector that can be programmed to only beep when no one is around to be bothered by it.

  15. Valeyard

    what if other devices emitted a similar alarm once a year, requiring you to check and install any updates before the noise stops?

    jesus christ. The article started ok when went deeper and deeper down the tunnel vision "our industry is the only thing that matters!", i stopped reading at every device in someone's house beeping like mad for its update with equal importance as something that ACTUALLY matters like the smoke alarm that's trying to fight for your attention with your out-of-date toaster to tell you that your family might burn to death, that's too far down the autistic spectrum for me.

    1. DJV Silver badge

      every device in someone's house beeping like mad

      Hah, that reminded me of the "12 o'clock flashers" of (the rather ancient but still funny) "Internet Helpdesk": https://www.youtube.com/watch?v=1LLTsSnGWMI

      1. Valeyard

        Re: every device in someone's house beeping like mad

        12 o'clock flasher has now been successfully installed into my vocabulary!

  16. DJV Silver badge
    Mushroom

    "install any updates before the noise stops"

    If the bloody thing is making an extremely annoying noise I can see the update process being 100% percussive and involve a large hammer!

    1. Charles 9

      Re: "install any updates before the noise stops"

      Like I said, how do you stop people expecting Plug-and-Play from complaining, "This trash is broken! I want a refund!"?

  17. JohnFen

    Common but terrible practice

    "where security fixes are often mixed with new or improved features."

    I don't understand why so many companies combine these two things. It's a terrible security practice because it makes people who actively don't want the new or "improved" features also miss out on security updates. It's a pretty hard situation when users have to decide if they're willing to accept a degradation in the usefulness/usability of their software in order to have the latest security updates.

    The industry really needs to go back to having two sorts of updates: security, which doesn't change or add features (except when such changes are necessary for security reason), and feature updates.

    1. Charles 9

      Re: Common but terrible practice

      Ever thought that's exactly why they're lumped together: to force you into a Morton's Fork? Either cripple your device or get pwned, and don't think about jumping ship, as they do the same thing.

      1. JohnFen

        Re: Common but terrible practice

        Sure. It's pretty obvious that the whole reason the two are combined is precisely so that when they force updates on you, they can point to the security updates as a (still weak and misguided) justification for forcing you into taking whatever feature-related nonsense (inevitably including more spying) has struck their fancy.

  18. Mike 137 Silver badge

    plasters for symptoms of problems

    The ultimate futility of point fixes that Kieren McCarthy rightly identifies was highlighted forcefully two years ago to the US Commission on Enhancing National Cybersecurity

    see https://www.nist.gov/document/integratedinfosecrfiresponsepdf

    Still no change in thinking though ...

  19. MachDiamond Silver badge

    Las Vegas, baby

    Companies that want to sell IoC devices will set up shop just over the California border in Nevada where shipping is still just a day or two away. There are fulfillment warehouses near the border already since the taxes are less in Nevada and accessing the California market is dead simple.

    Governor Moonbeam is a moron and doesn't have any skill with technology, business or governing. Backed by an equally looney gang of far left wing cronies in the state congress, all they can do is churn out on stupid unenforceable law after another. The did make a huge mistake and passed a strict net neutrality bill. At least it has to be considered a mistake since it actually makes sense for the proles.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like