Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just thinking out loud here - why isn't there legislation that makes it mandatory for phone manufacturers to send out a notification to all devices affected by serious security flaws (like this one)? Not only will fixing and rolling out an update take a while, there is also no guarantee that the update will be installed. Meanwhile, hackers will have a field day.

Or maybe there is already one, and I'm blissfully ignorant!



Just to play devil's advocate (not a lawyer though):

What constitutes a "phone"? Any device with cellular capabilities? What about WiFi calls? What if it's an industrial device with no network (LTE/data) access? Is a laptop with a 3G modem covered under this?

I would suspect the problem is in defining what devices to target, and also the fact that forcing any company to modify the functionality could be perceived as a slippery slope (i.e. security notifications first, NSA backdoors later...)

In Apple's defense, it is pretty difficult to miss an update alert considering it comes through as (a) a push notification, (b) a mandatory alert, and (c) a persistent red badge on the Settings app.

I agree that it might be a good idea to differentiate between a normal update and a security critical one, though.


Valid points. How about restricting the scope to devices connected to a network and having some sort of push notification capability?

> In Apple's defense, it is pretty difficult to miss an update alert considering it comes through as (a) a push notification, (b) a mandatory alert, and (c) a persistent red badge on the Settings app.

> I agree that it might be a good idea to differentiate between a normal update and a security critical one, though.

But there is no mention of severity like you pointed out, and that is crucial. And till such a patch is available, Apple should notify users to disable offending apps/features if possible.


So... every computer running some sort of syslogd?


Not sure if I'll define it that way, but why not? If my mobile device is capable of showing inane ads as push notifications, why can't I expect security advisories to be delivered that way?


I think Apple benefits from safe harbor law - but I can't cite the statue. In this case I think the legal liability is against the bad actor. Not the corporation that let this bug out into the wild.

I imagine at some point the government will regulate software and the liability may shift. It could be good, but it could also be bad.




Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: