[go: up one dir, main page]
|
|
Log in / Subscribe / Register

Placing on the market

Placing on the market

Posted Sep 20, 2023 16:02 UTC (Wed) by Wol (subscriber, #4433)
In reply to: Placing on the market by pizza
Parent article: The European Cyber Resilience Act

> > My router is quite clearly NOT a "product placed on the market". I over-wrote the supplied firmware with OpenWRT. The manufacturer of the commercial router cannot be held liable because I mod'd it.
> So in other words, OpenWRT is not liable, the manufacturer of the equipment is not liable... which leaves you. But since you didn't "place this product on the market" you're not liable for any damage it causes either.

> That seems... quite wrong.

I agree with you. BUT. How different is it to anywhere else? Not at all, as far as I can tell. What if I buy a bunch of aftermarket car mods, rally-fix my car so it's totally illegal, and go road-racing with my mates?

It only needs a fatal smash and a bunch of innocent bystanders are left with no recourse because at best I'm a man of straw not worth suing - at worst I'm dead too (many people would think that was for the best! :-) and there isn't anyone to sue. Tough. That's life. And death.

> > If manufacturers are forced to clean up the dystopian world of the "internet of things", the background security level will rise sharply.

> Doing so by effectively outlawing general purpose computing and independent software development sounds like a pretty dystopian outcome to me.

And the alternative is?

It's a "damned if you do, damned if you don't" world out there.

Stuff needs to be field-updateable. Stuff needs to have the code available for audit.

I'd like to see something along the lines of "If you lock it down you have to implement a kill switch. If a serious bug is found you implement a fix, and then you trip the kill switch. If you CAN'T implement a fix, then you trip the kill switch anyway! And unless the product is end-of-life, tripping the kill switch is a warranty failure". Although if the customer didn't apply the fix, you do get to charge them for the privilege of you doing it for them, and they get a "pay for" upgrade rather than a replacement piece of kit.

Let's take routers for example. How difficult would it be for - Netgear let's say - to sponsor an engineer to certify OpenWRT on their hardware. (That is, Netgear employs the engineer to say "Yes I've audited it". He's not personally liable for it.) Another couple of manufacturers chip in so they set up a compliance testing trade association - bear in mind that sort of organisation is not allowed to be choosy about membership. So the engineers are busy fixing and improving OpenWRT, and providing value to the association members in the form of certification! Not a member? No certification!

Basically, if you provide a product, you should be responsible for making sure that (a) it works as advertised, and (b) customers and bystanders are not hurt by it working as designed. Like in the automotive industry, you should not be held responsible for unauthorised modifications, but you are responsible for the safety of the product you supplied.

And this is what I meant about the dystopian Internet World of Things, where security etc is an afterthought, if it's even a thought at all. People get hurt by commercial products acting "as designed" (as in, design consists of just throwing components together, compatible or not who cares.)

Cheers,
Wol

to post comments


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds