Please note that all submissions to the site are subject to the wiki's licence, CC 4.0 BY-SA, as found here
Security: Difference between revisions
Added a page for common term: "Security". Security is pretty important to consumer protection so I figured I'd add it. I figure we need some educational articles on the site for people who are new to consumer protection principals. Definitely needs some work. |
m Add suggestion to use open-source projects when available. |
||
| Line 20: | Line 20: | ||
# Avoid using physical products that require a proprietary app to use. While the product itself may not connect directly to the internet, your internet device now serves as a bridge to it. This opens the door for companies to take away your rights via the app. In addition the app itself may have security vulnerabilities. | # Avoid using physical products that require a proprietary app to use. While the product itself may not connect directly to the internet, your internet device now serves as a bridge to it. This opens the door for companies to take away your rights via the app. In addition the app itself may have security vulnerabilities. | ||
# Avoid using physical products that need a subscription to use, a normal treadmill won't brick itself if the company goes out of business, or decides to [[Peloton Removes Just Run Feature|eliminate a subscription free feature]] in the name of safety or security. | # Avoid using physical products that need a subscription to use, a normal treadmill won't brick itself if the company goes out of business, or decides to [[Peloton Removes Just Run Feature|eliminate a subscription free feature]] in the name of safety or security. | ||
# Avoid using closed-source products if equivalent open-source products exist. Open source products are not necessarily more secure, but they are far less likely to violate a consumer's rights simply because the consumer has the ability to change the product as they wish. | |||
== References == | == References == | ||
Revision as of 18:59, 21 January 2025
Security is an engineering principal whereby the risk of an unauthorized malicious agent gaining control of a product, its information, or its environment is minimized. Security of programs and physical products is critical to consumer protection.
What are Security Vulnerabilities?
A security vulnerability is any function of a product that allows an unauthorized agent is able to gain some level of control over the product, its information, or the product's environment. Vulnerability severity can range depending on how much access an unauthorized agent is granted. To further understand vulnerabilities it is useful to list some real examples:
- The apache log4j exploit[1] where a malicious user could remotely execute code (known as an RCE Attack) by feeding the logger malicious data which causes it to download and execute malicious code. This vulnerability could compromise the security of nearly any system running applications with older versions of log4j. The impact of the log4j exploit could have been massive due to its status as a Java library, meaning that many programs use it solely for the purpose of logging information causing log4j to have massive reach.
- The NoFly.csv leak where the majority if not the entirety of the US No Fly list was exposed on an unsecured server.[2] Similar data leaks have and can occur containing more sensitive user information: emails, passwords, real names, SSNs, etc.
Security vulnerabilities primarily show up in software products but they can also exist in real life. Home security often depends upon locks which are themselves physical security implementations that prevent intruders from entering but this does not stop someone from just smashing the window: a physical security vulnerability.
What is Not Real Security
Understanding what real security is requires understanding what it isn't. Security is not attained through obscurity or purposefully hiding information about a product. Security is not improved by connecting to the internet, in fact this has quite the opposite effect as it can open new attack vectors.
How this Relates to Consumer Rights
Security is both a blessing and a curse towards control over the things consumers own. Being forced to login to a laptop to use it is a sensible decision, being forced to connect your treadmill to the internet and gain authorization just to run on it (as seen here) is not. Companies may use security as an excuse to reduce consumer control and so it is important to identify these misuses. If a company takes away consumer rights using security as an excuse the emperor may not have any clothes to begin with.
How to Avoid Losing Rights in the Name of "Security"
- Avoid using physical and software products that needlessly require connection to the internet. Your fridge does not need to be "smart". Choosing to use a smart appliance opens the door for companies to take away your rights as well as open you to security vulnerabilities.
- Avoid using physical products that require a proprietary app to use. While the product itself may not connect directly to the internet, your internet device now serves as a bridge to it. This opens the door for companies to take away your rights via the app. In addition the app itself may have security vulnerabilities.
- Avoid using physical products that need a subscription to use, a normal treadmill won't brick itself if the company goes out of business, or decides to eliminate a subscription free feature in the name of safety or security.
- Avoid using closed-source products if equivalent open-source products exist. Open source products are not necessarily more secure, but they are far less likely to violate a consumer's rights simply because the consumer has the ability to change the product as they wish.