a) People shouldn't have to flash their firmware to have an adequate level of security. If we're creating software we should hold some at least responsibility to provide basic security. Engineers in other fields take safety extremely seriously, why should software only provide it to a small percentage of people with technical knowledge?
I think you are comparing fundamentally different threat levels.
Say you're designing a car. A cool, safe car in which passengers survive head-on collision with a wall at 100km/h with 100% chance. That's a nice car, but it can't save you if someone shoots you in the head with a 9mm through the windshield, unfortunately. You want that kind of protection? You go and buy special car with bulletproof glass and additional security measures.
Your router may save you against someone typing 192.168.0.1 in browser and getting full rights without password. But it won't (and probably can't) save you from someone with enough tech knowledge and determination by default.
> b) Using up-to-date operating systems with update processes and security-conscious decision-making when packaging 3rd-party software is not a huge cost to these companies.
Well they won't want to spend it. People will buy them anyway like they do now.
I think the difference here is that your hypothetical gunman taking potshots at passing cars/routers (i.e. random hackers) is a lot more of a clear and present danger in the post-Snowden world than real gunmen in the real world.
In other words, that armor glass should come standard, and there's no excuse for it not to.
Microsoft learned this lesson - you either design for security up front or you design for security after the fact, the hard way, breaking things as you go and annoying users.
Here's another way to look at it: Should a router be at least as secure as a modern (evergreen) browser? Specifically, is it acceptable to have known trivial remote exploits going unpatched forever?
a) People shouldn't have to flash their firmware to have an adequate level of security. If we're creating software we should hold some at least responsibility to provide basic security. Engineers in other fields take safety extremely seriously, why should software only provide it to a small percentage of people with technical knowledge?
I think you are comparing fundamentally different threat levels.
Say you're designing a car. A cool, safe car in which passengers survive head-on collision with a wall at 100km/h with 100% chance. That's a nice car, but it can't save you if someone shoots you in the head with a 9mm through the windshield, unfortunately. You want that kind of protection? You go and buy special car with bulletproof glass and additional security measures.
Your router may save you against someone typing 192.168.0.1 in browser and getting full rights without password. But it won't (and probably can't) save you from someone with enough tech knowledge and determination by default.
> b) Using up-to-date operating systems with update processes and security-conscious decision-making when packaging 3rd-party software is not a huge cost to these companies.
Well they won't want to spend it. People will buy them anyway like they do now.