alt Hacker News> no Gov agency would ever mandate secure firmware
Interestingly, Europe is about to try this: the Cyber Resilience Act is going to become obligatory for all sold digital products (hardware & software) by the end of 2027, with a bunch of strict minimum requirements: no hardcoded default passwords, must check for known vulnerabilities in components/dependencies, encryption for data at rest, automatic security updates by default (which must be separate from functionality updates), etc.
Remains to be seen whether this'll help, but good to see somebody have a go at fixing this.
Encrypting data at rest is security theatre right? Unless consumers control the keys (which they generally dont want to), the keys will have to be accessible by the system storing the data. So if the system is compromised so are the keys? Like I cannot see the security benefits from encrypting data at rest in a non E2E system.