> They can then turn around and lambast / sue / etc the company that sold it, putting pressure on the source of the problem
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.
Any device that participates in a DDOS needs to be recalled by the manufacturer, mandated by law. Make it potentially economically crippling to sell a vulnerable device, and security will be taken very seriously. Frivolous uses of tech, won't be worth the risk.
This just in: every computer manufacturer forced to recall every single computer model they've ever sold because some users use weak passwords.
I can't wait for all of them to switch to IOS-ified devices incapable of installing alternative operating systems or programs, as that would be the inevitable end solution for all these manufacturers if this was implemented.
Maybe that's a good thing; relying on users to choose good passwords is a cop-out. Systems should be safe-by-default. And owners losing their system if it participates in a DDOS, would add to the incentives to stop the nonsense. It persists because perpetrators, and those who unwittingly abet them, feel no consequences.
At that point, you should force the pain on the individual themselves. Why should all of us be handicapped because there's a couple morons that can't set decent passwords and connect their devices directly to the internet?
Even if the device removed the capability for passwords and used key based authentication, connecting it directly to the internet means if there's ever a vulnerability, all that was for naught anyway.
This is the way, there should be no access by default, then on first access the user has to setup their desired authentication details, and if they want passwords, then they get a randomly generated one, not one they choose. There should also be a factory reset button too.
Exactly, and fwiw most manufacturers have moved to this model by now, or using randomly generated passwords printed on the physical device itself, in the case of routers.
The latter is still a security issue, because it means that anyone who had your device before, or was able to photograph the printed password briefly, could still have access to your device. Of course it mitigates a fair bit of the DDoS issue, but is still problematic.
Or just unplug the culprit. But the key seems to be that the device continues working. Ideally you would just shutdown or disconnect the device. If fridge is infected, the fridge can still fridge, but it no longer has internet privileges.