Compliance with California's Senate Bill No. 327, for information privacy of connected devices



  • Hi, NetGate stuff!

    How You manage compliance with California's Senate Bill No. 327, for information privacy of connected devices, the handling of the root password for newly manufactured products is changing.

    Products manufactured after January 1, 2020 will no longer use a fixed, default root password. Rather, a per-device, unique password will be assigned during manufacturing, and will be visible on a product label. It will still be possible to change the password for the root user on a per-device basis.

    Thank You for answering!



  • Netgate is made in Austin, Texas.

    The password printed on a visible label is worse then default passwords. IMO
    People are lazy and will not want to change it.



  • @Sergei_Shablovsky said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    Products manufactured after January 1, 2020 will no longer use a fixed, default root password. Rather, a per-device, unique password will be assigned during manufacturing, and will be visible on a product label

    It's already been done...there is a code (unique password not erasable) that's printed on the device to use in conjunction with the default password. I bought a camera last Christmas and that's how it was...if fact, there was no mention of the default password...I found that out on the forum. But, that is if I am manually entering the camera. The intent was to use one's phone as the additional password plus the code on the device. So, in essence, it's safe.



  • @NollipfSense said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    @Sergei_Shablovsky said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    Products manufactured after January 1, 2020 will no longer use a fixed, default root password. Rather, a per-device, unique password will be assigned during manufacturing, and will be visible on a product label

    It's already been done...there is a code (unique password not erasable) that's printed on the device to use in conjunction with the default password. I bought a camera last Christmas and that's how it was...if fact, there was no mention of the default password...I found that out on the forum. But, that is if I am manually entering the camera. The intent was to use one's phone as the additional password plus the code on the device. So, in essence, it's safe.

    What you are describing is also similar to what is known as two factor authentication. I'm not a big fan of that and refuse to signup for that on any website/business that I do business with. That is some more of Google's mess that they have been pushing for the last few years.



  • @jdeloach said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    @NollipfSense said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    @Sergei_Shablovsky said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    Products manufactured after January 1, 2020 will no longer use a fixed, default root password. Rather, a per-device, unique password will be assigned during manufacturing, and will be visible on a product label

    It's already been done...there is a code (unique password not erasable) that's printed on the device to use in conjunction with the default password. I bought a camera last Christmas and that's how it was...if fact, there was no mention of the default password...I found that out on the forum. But, that is if I am manually entering the camera. The intent was to use one's phone as the additional password plus the code on the device. So, in essence, it's safe.

    What you are describing is also similar to what is known as two factor authentication. I'm not a big fan of that and refuse to signup for that on any website/business that I do business with. That is some more of Google's mess that they have been pushing for the last few years.

    Yes, I guess you can call it two-factor authentication...I am the same and why I chose the manual method so I don't have to give out my phone number.



  • @jdeloach said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    @NollipfSense said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    @Sergei_Shablovsky said in Compliance with California's Senate Bill No. 327, for information privacy of connected devices:

    Products manufactured after January 1, 2020 will no longer use a fixed, default root password. Rather, a per-device, unique password will be assigned during manufacturing, and will be visible on a product label

    It's already been done...there is a code (unique password not erasable) that's printed on the device to use in conjunction with the default password. I bought a camera last Christmas and that's how it was...if fact, there was no mention of the default password...I found that out on the forum. But, that is if I am manually entering the camera. The intent was to use one's phone as the additional password plus the code on the device. So, in essence, it's safe.

    What you are describing is also similar to what is known as two factor authentication. I'm not a big fan of that and refuse to signup for that on any website/business that I do business with. That is some more of Google's mess that they have been pushing for the last few years.

    You are totally wrong: the 2-factor auto is about to confirm user identity let’s say “at time of operation”: bank transaction, change accounts settings, etc. important things.
    Possibility of stealing Your SMS by gsm hijacking is one big thing that compromise 2-factor auth based on SMS.
    But exist a lot of other 2-factor auto out SMS-based method, like QRcode on screen and Apple Auth.

    Apple Auth based on internal secured technology, and all Your sensitivity physical data (mean face recognition data, fingerprints) do not leave the iOS device and stay encoded inside NVRM chip.
    No possible to hack this info or steal (as You must see all FBI efforts in this way and pressure on Apple has no result, - no one able to read this secured info).

    No any other non-military vendor provide technology like this. So why using outdated SMS technology from Google, especially we see how Google spy on users for last 10+ years?

    But anyway I wrote about one unique password per device, because Firewalls are very security sensitive device and most of sysadmins are just too lazy animals :)


  • Rebel Alliance Developer Netgate

    If you read the text of the bill, it isn't that specific. Nothing about labels. Really needs input from actual lawyers.

    We're looking into what needs to happen, and we'll do what we are legally obligated to do, whatever that may be.

    Notably:

    [1798.91.04.] (b) Subject to all of the requirements of subdivision (a), if a connected device is equipped with a means for authentication outside a local area network, it shall be deemed a reasonable security feature under subdivision (a) if either of the following requirements are met:
    (1) The preprogrammed password is unique to each device manufactured.
    (2) The device contains a security feature that requires a user to generate a new means of authentication before access is granted to the device for the first time.

    1798.91.04. (b) could be taken to mean that since the default configuration doesn't allow logins outside the local network, the rest of the rules don't apply. Though since it is technically capable, then it probably does apply.

    Note that only one of either 1798.91.04. (b) (1) or 1798.91.04. (b) (2) need to happen, not both.

    1798.91.04. (b) (1) only requires a unique password per device. Nothing about being printed on labels, though that may be a convenient/user-friendly means to comply.

    1798.91.04. (b) (2) only requires that the user be forced to change the initial password at first login, it doesn't have to be unique.

    The wizard gives the user the opportunity to do (2), but doesn't force it, though the GUI does complain loudly with a red banner on every page if the user doesn't change it. Wouldn't take much to make that more forceful.

    Netgate devices ship with a couple unique identifiers on the label like the NDI, serial number, and so on. If we pre-set the password to one of those on devices sold by Netgate, that might also comply.

    But as I said, I'm not a lawyer and only a lawyer can really say what will comply.

    Anything else like multi-factor auth is irrelevant here.



  • Glad to read that Netgate as FW manufacturer keep attention on this. :)


Log in to reply