lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 19 Feb 2018 14:58:08 +0100
From: Security Explorations <contact@...urity-explorations.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [SE-2011-01] Regarding liabilities in SW / HW (ST chipsets
 flaws' case)


Hello All,

Today, Security Explorations sent an official inquiry to NC+ operator
regarding the replacement process of set-top-box devices conducted by
the company in Poland (whether STBs vulnerable to STMicroelectronics
vulnerabilities are replaced, whether the replacement process is
required by content providers, how many vulnerable STB's got replaced,
what were the costs incurred by end users, etc.).

NC+ fleet of STB's contains 4 models vulnerable to hardware flaws in
ST DVB chipsets (secret and pairing key extraction making satellite TV
piracy possible [1]).

NC+ is likely obliged to fulfill the requirements for high security of
paid TV content posed by content providers. NC+ however encourages end
users to replace old, vulnerable devices to new models for a monthly
fee.

We believe this should not happen (the costs to deal with addressing
security vulnerabilities is a liability of a vendor / STB manufacturer
and/or a operator), not the end user (just think, VW diesel gate case).

Thus our official inquiry to NC+ along a note to the Polish Government
authority responsible for consumer rights (UOkiK [2], which corresponds
to FTC in the US).

This goes along our conclusion expressed during a JavaLand talk in 2016
(slide 53 [3]) after FTC started investigation against Oracle:

"Government authorities putting vendors to order over poor / deceptive
security practices can pave the way for SW liabilities".

The status of the communication will be visible at our SE-2011-01 project
pages:

http://www.security-explorations.com/en/SE-2011-01-status.html

Thank you.

Best Regards,
Adam Gowdiak

---------------------------------------------
Security Explorations
http://www.security-explorations.com
"We bring security research to a new level"
---------------------------------------------

[1] "Security vulnerabilities of Digital Video Broadcast chipsets", HITB 
Talk #2
     http://www.security-explorations.com/materials/se-2011-01-hitb2.pdf
[2] UOKiK - Office of Competition and Consumer Protection
     https://uokik.gov.pl/home.php
[3] Java in(security), JavaLand Conference, Mar 7-9, 2016, Bruhl, Germany
     http://www.security-explorations.com/materials/se-javaland.pdf


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists