Stanford Starts the 'Secure Internet of Things Project' 77
An anonymous reader writes: The internet-of-things is here to stay. Lots of people now have smart lights, smart thermostats, smart appliances, smart fire detectors, and other internet-connect gadgets installed in their houses. The security of those devices has been an obvious and predictable problem since day one. Manufacturers can't be bothered to provide updates to $500 smartphones more than a couple years after they're released; how long do you think they'll be worried about security updates for a $50 thermostat? Security researchers have been vocal about this, and they've found lots of vulnerabilities and exploits before hackers have had a chance to. But the manufacturers have responded in the wrong way.
Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Instead of developing a more robust approach to device security, they've simply thrown encryption at everything. This makes it temporarily harder for malicious hackers to have their way with the devices, but also shuts out consumers and white-hat researchers from knowing what the devices are doing. Stanford, Berkeley, and the University of Michigan have now started the Secure Internet of Things Project, which aims to promote security and transparency for IoT devices. They hope to unite regulators, researchers, and manufacturers to ensure nascent internet-connected tech is developed in a way that respects customer privacy and choice.
Re: (Score:1)
Are you kidding. You might crib some code from the project, but I GUARANTEE you will strip out any code "that respects customer privacy and choice".
Right now, interoperability just means that more companies have direct, unfettered, access to whatever data is generated by the devices you purchased.
Dumb as a Rock (Score:5, Funny)
I prefer a Dumb Home. Our home is built of stone. It has no brains. It is solid state. It stores incoming solar and wood fired heat and then releases it slowly. It never freezes despite our very cold northern mountain winters. It's too much thermal mass to freeze. Dumb wins. The doors are manual. The windows are manual. The security system is operated by a pack of local wolves - they eat predators. We have no thieves.
Re:Dumb as a Rock (Score:5, Informative)
Your post is just nonsense.
Our stone house only cost to build $7,000. That is not expensive. It's so low cost that I built it out of pocket money without needing to get a mortgage to build my home. This means I'm not paying interest on that too. Additionally the taxes are lower than a comparable sized stick built house so each year I save on taxes. And the maintenance is almost zero.
Our house cost less to build, less to maintain, less to heat and cool and is taxed less. It's extremely affordable. Not only that it is simple so most anyone could build their own making it accessible.
Our house will also last for hundreds to thousands of years instead of the typical 25 to 50 years of stick built houses.
Dumb rock house wins again.
You may not like losing but at least make sense with your responses.
Re: (Score:2, Informative)
Who? I did. It has full plumbing, heating, electric, etc. It is interesting how someone like you says something is not true when you have no facts to base it on.
By the way, you lose the wager. Pay up.
Re: (Score:2)
See:
http://sugarmtnfarm.com/cottag... [sugarmtnfarm.com]
That starting page will take you onward to many more pages that extensively document how we did it. It took two months to prep and build the shell to the closed in point. Then winter hit - we have a short construction season here in the north.
This does not include the land - I already owned that - the discussion was the cost of building the house. I was not gifted the materials. The $7,000 is the materials. Our family of five (2 adults, 2 teens, one small child) supplied
Re: (Score:1)
Re: (Score:2)
I think you would probably make a lot of sacrifices for 252 square feet. That's a square 15 feet on a side, smaller than a standard 2 car garage. My dad lived in a 40 foot motorhome (8 ft x 40 ft) and that's 320 square feet and it felt small when I stayed in it; plus, most everything was motorhome-sized (stove, toilet/bath, etc) and a lot of built-ins & storage efficiencies.
This guy says he has a wife and 3 kids -- I think it might take some religious type orientation to live in a cold climate with 5
Re: (Score:1)
To be fair, that's not something most people could do. Presumably you have the relevant certifications for installing electrical wiring and plumbing, hooking up to the networks etc. Not everywhere has a cheap supply of stone, or even allows stone buildings to be built.
I'm not suggesting what you did wasn't great, it is, but it's just not a very useful comparison for most people.
Re: (Score:2)
I have no certifications nor do I need them. It is something that most people could do. How to do plumbing, electric, etc is all on the internet and in books. Most people are intelligent enough to follow the step-by-step instructions and do it. They may or may not have the creativity to come up with the plan to start with but once they have the plan they could do it. I extensively documented how we built our house. There are lots of other articles and books out there about how to build your own house.
If you
Re: (Score:2)
I have no certifications nor do I need them. It is something that most people could do. How to do plumbing, electric, etc is all on the internet and in books. Most people are intelligent enough to follow the step-by-step instructions and do it. They may or may not have the creativity to come up with the plan to start with but once they have the plan they could do it. I extensively documented how we built our house. There are lots of other articles and books out there about how to build your own house.
I've seen a fair bit of amateur wiring, and I can assure you that most people are not capable of safely wiring up a house. In any case, without certification the electricity company won't let you connect to the grid, so you are reliant on what you can produce.
So, nice work, but not very practical.
Re: (Score:2)
I've seen a fair bit of amateur wiring, and I can assure you that most people are not capable of safely wiring up a house.
Isn't this slashdot? Don't we assume that regulars here arw capable of learning this?
In any case, without certification the electricity company won't let you connect to the grid, so you are reliant on what you can produce.
Not only is that not a big problem any more, but all a contractor has to do is sign his name to a piece of paper and you're allowed to connect to the grid. And all he has to do before he does that is look over some of what you've done and see that you know what you're doing.
Not long after I moved into this rental I live in now, I corrected a neutral fault to ground, probably created by a prior resident. So yeah, people can
Re: (Score:2)
And there lies the error in your assumptions. You assume that because you have seen X that most are X. That is not statistically or scientifically valid. In fact, it is irrational.
You are also wrong about your statement about connecting to the electric company. This further demonstrates your lack of knowledge. You're talking through your hat. We are utility connected.
Reality check: The state inspectors saw my work and were delighted with it. They said they wished everyone did such a good job, including prof
Re: (Score:2)
And there lies the error in your assumptions. You assume that because you have seen X that most are X. That is not statistically or scientifically valid. In fact, it is irrational.
You are also wrong about your statement about connecting to the electric company. This further demonstrates your lack of knowledge. You're talking through your hat. We are utility connected.
*facepalm*
So I'm wrong for speaking from experience, but you are right because you speak from experience. I can tell you with absolute certainty that in my entire country you can't hook anything up to the grid without it having been inspected and signed off by a qualified electrician, and they generally won't even consider DIY installations for liability reasons.
Re: (Score:2)
No, you're wrong from applying your experience over someone else's experience and saying that your experience rules. You're failing to accept the possibility that there are other ways that don't fit your world view.
I hope your face gets better after that face palm.
Re: (Score:1)
Re: (Score:2)
That will be interesting. I live in the stone house. I doubt he can blow it down. :)
Re: (Score:1)
It's interesting how you only say "I did it" without explaining how you did it.
Most cost estimating uses ~$100/sq ft for residential properties, which would make your stone house 70 sq. ft.
Provide some facts -- finished square feet, internal materials and features, cost of land, etc, otherwise I have to remain skeptical.
Re: (Score:2)
Actually, I have explained it and documented it extensively. See:
http://sugarmtnfarm.com/cottag... [sugarmtnfarm.com]
and then for another similar project read about how we're almost done building our own on-farm USDA/State inspected Meat Processing facility - a _much_ larger project at:
http://sugarmtnfarm.com/butche... [sugarmtnfarm.com]
Largely of the cost of building a house is labor. Supply your own labor and you dramatically cut the cost.
Another big part of the cost is architects, engineers and other consultants. Be your own or use available
Re: (Score:2)
Interesting. How big is it? I didn't see any size estimates (nor did I spider the web site, either) but it looks pretty small -- 20 ft or less on the long side, maybe 10-15 on the short side, call it 300 sq ft. That's extremely small -- the standard size for a two car garage is 400 sq ft.
While it's impressive that you were able to produce an entire house for $7k, had you said "yeah, we build a stone house for $7k and it's only 300 square feet" it would have seemed more realistic.
It almost seems like you
Re: (Score:2)
Read the article and you'll find all the details.
How big is a house was not the question. The issue at question is smart vs dumb houses, longevity, long term costs, ability of people to build their own. Some people choose to live in very large houses. Some choose small houses. That is an irrelevant variable. The question is can you affordably build a long term house. Most people can if they want. Do they need the Smart House fancy technology? No. That drives up the cost and isn't going to be supported long
Re: (Score:2)
252 square feet is smaller than a lot of New York City apartments. A king size bed alone is 42 square feet.
I do agree that a lot of the "smart house" technology isn't very sustainable, and realtors I've talked to tend to say that it actually makes houses hard to sell.
I suspect, though, that some flavor of smart technology will become more normal at least with regards to electricity. I think improvements in battery capacity, reductions in net metering value and so on will get more people running from mixe
Think business, not technology (Score:5, Insightful)
Re:Think business, not technology (Score:4, Insightful)
Then somebody hacks into a thermostat, uses it to burn somebody's house down for luls. The couple whose house was burned down tries to sue, loses due to the contract that says their only recourse is a refund of the 50$ even though WTF, it makes all the news everywhere, and the device is forever known as "that device that burned some guy's house down and they gave him a whopping 50 bucks". They're now out 50 bucks in direct cost, and a jillion dollars in lost sales.
We sometimes forget the economics side of things, but companies *often* forget the social side of things (i.e. if you treat people like crap, they'll tell their friends, who will tell their friends, and eventually you'll be "that company that treats people like crap". Unless, of course, you're a monopoly, or if all your competition is equally terrible, in which case do what you like.)
Re: (Score:2)
As a real engineer let me explain how it works. Both of you are a bit off.
Even if you hire security engineers, they will be overridden by the need to add marketable features and reduce support costs. If it's too hard to set up, if it can't do what the competitor's product can do, security is irrelevant and will be at best an afterthought.
In practice, they won't hire security engineers with that $500k, some manager will spend $5k on PR making them out to be the victims if they are hacked, and the rest will b
Re: (Score:2)
Then somebody hacks into a thermostat, uses it to burn somebody's house down for luls.
How do you propose it will even do this? The thermostat just asks the heater for heat, the heater typically has an overheat switch and will shut itself off if somehow it approaches starting a fire.
How about IoT devices use a LAN? (Score:3)
TFA was "meh" at best, but why not design a secure architecture where the $50 device communicates to some type of secure hub (or hubs if one wants redundancy), and the hub is what communicates on the Internet. This way, only one device has to be hardened against attack via the Net. Yes, it doesn't stop attacks done at the LAN level... but any security is better than none, and it would help lock out all intruders except those close by in physical proximity.
This can be done a number of ways, by the central hub being a Wi-Fi AP, or just part of a BT PAN pairing.
To boot, if devices need to communicate with a remote site, there are many ways to communicate via secured link.
A hub topology is the proper way to do IoT. Letting every device go out via 3G or whatnot is only asking for compromise.
Realistically, if the device is "smart", it should just get passed up. If we don't pass up on these devices, we will be seeing fridges demands one sit through a 30 second ad before it unlocks the door, or the oven to allowing Slurm brand turkeys to be baked in it.
Re: (Score:2)
would you kill me if i told you every single password to every single account of every single computing account? on every platform ever imagined, with up to 2048 bit password legths in an automatically compressed (only used space of passwords not 2048 bit for every single password) format in rot 13 encryption?
Re: (Score:2)
note: i'm not claiming i can do this, i only have 25 GB blurays to store it on so it probably cuts off. but really i mean why the hell do we need 100 years of chat logs for every single marine made in any starcraft game ever played.
Re: (Score:2)
and why do they all have houses families kids and favorite movies and favorite books, and high paying jobs in wet lush paradise cities where they only fade away when the hard drive fill up.
Re: How about IoT devices use a LAN? (Score:1)
Re: How about IoT devices use a LAN? (Score:1)
Here's my way... (Score:1)
How to secure 'Internet of Things' things: Firewall them oRf from having access to the Internet.
There is no IoT (Score:3)
Similar are the mobile-phone network IoT car-based devices, a number of which will "IoT" when back at base, through secure WiFi to a private server, with no data in the loop *ever* traveling over the Internet (unless the customer buying the solution goes out of their way to send things over a WAN, that's still not Internet connectivity, just using the Internet for a private WAN).
The level of control around IoT at the moment prevents any IoT from working over the Internet. The IoT is when every device in your house is connected (probably IPv6, with a
IoT is unsecurable (Score:3)
For example, your house has ACME smart thermostat, ACME smart fridge, and ACME remote baby monitor device all connected to the Internet. Since ACME is competing/pressured based on price-point to keep their ShopMart contracts going, they have not spent any time securing their devices. It is 2025 and they are still stuck using badly-broken TLS 1.4! Fortunately for the consumer, home routers market stepped up and developed sophisticated access controls, reputation services, pattern-based communication analysis, and anomaly detection techniques. This way when a script kiddie attempts to exploit your thermostat, the router detects attempt and blocks the access to the IoT device.
Re: (Score:2)
Some IoT devices will wind up with their own cellular antenna. This will wind up being used as a nice entry point for attackers who will be able to jump through the device to a private network, or just use it for distributed Dogecoin mining.
Re: (Score:2)
Re: (Score:2)
Don't forget, ACME smart appliances all require you to agree to letting ACME access your address book, location, browsing history and other personal information. But their website says "We take your privacy seriously".
Re: (Score:2)
Re: (Score:2)
You can create a secure base OS that runs on low cost ARM, for example, and then have a limited, sandboxed application layer. Think browser plugins - they can do a lot, have network access etc. but are executed on a virtual machine (Javascript) and with heavy sandboxing, with masses of security protections in place.
The problem with emebedded system is that you often can't remotely update the OS, or if you can manufacturer's won't bother. You can limit the damage from exploits to things like information leak
Re: (Score:2)
Internet of Stupid Things (Score:2)
I'll be interested in the Internet of Things as soon as I can get an IPv6 address for my balls.
Re: (Score:2)
I'll be interested in the Internet of Things as soon as I can get an IPv6 address for my balls.
Then rejoice! Hurricane Electric [tunnelbroker.net] will give you your own /48 for free. Just set up a box to accept and route it and you can assign an IP to every single sperm in your beloved balls.
Re: (Score:2)
Do they also make a router that looks like Scarlett Johansson? I may find this "internet of things" acceptable after all.
Naming (Score:2)
This actually sounds like a good thing--namely a Secure Internet of Things. But I think that might be a large undertaking. Perhaps they should start smaller with an Internet of Secure Things.
The internet-of-things is here to stay. (Score:4, Interesting)
The internet-of-things is here to stay.
To the contrary, in my experience most things that have a catchy name before they are implemented go nowhere. Multicasting, Named Data Networking, Internet of Things, OLP, Web Ontology, Neural Networks, etc. The project is more focused in sounding trending than in finding reasons why things want to access the internet (presumably so that your toaster can watch youtube videos while you are away?)
Successful projects usually start from the other end. People first create a small iteration of the thing that proves the concept, it starts to catch up (fancy name might be created here but this is entirely optional) and one day you turn around and its taken over the world.
Re: (Score:2)
The internet-of-things is here to stay.
To the contrary, in my experience most things that have a catchy name before they are implemented go nowhere. Multicasting, Named Data Networking, Internet of Things, OLP, Web Ontology, Neural Networks, etc. The project is more focused in sounding trending than in finding reasons why things want to access the internet (presumably so that your toaster can watch youtube videos while you are away?)
Successful projects usually start from the other end. People first create a small iteration of the thing that proves the concept, it starts to catch up (fancy name might be created here but this is entirely optional) and one day you turn around and its taken over the world.
On the other hand, if IoT does take off, then about 3 to 5 years after that I'm going to start a new company and sell products with the exciting label of "Not Internet Connected!", and I'll make billions.
Color ma a skeptic, but... (Score:4, Interesting)
...from my experience with embedded engineers, the past cluster-f*cks implemented by that category of engineer (think SCADA), and the more-of-the-same coming down the pike (think "we'll just invent our own security rather than using proven solutions"), it's doomed from the start. These are guys that optimize down to the last 1/8 of a bit of RAM, the last 10Hz of processing speed, the last milliwatt of power. Given that mindset, they don't have a clue that security is a top line concern for anything that communicates with the outside world. The necessary solutions are just way outside their sense of scale.
There is also this intrinsic mistrust of anybody else's code, which is polar opposite to the instincts required to do proper security. Of course, if you see the crap code they get force-fed from the chip vendors, and anything else that has to run in 16K of code space, it's not hard to see where the bunker mentality comes from.
But I've peeked into that world, and I don't see it changing. That's going to be a Very Bad Thing(tm).
I've always wondered (Score:2)
I had a friend back in Junior high who used to do just that - it's not uncommon. So is Mom and Comcast now disseminating kiddie pr0n?
Fun History fact. Winston Churchill used to run around the house naked.
The safest strategy (Score:4, Interesting)
The safest strategy for connecting everything in your home to the internet is....don't.
Why the fuck do you need to connect your front door lock, your coffeemaker, and your refrigerator to the internet?
Forget to lock your door? GO BACK AND LOCK IT. People have been doing it for 1000 years and the world continues to spin.
Don't want to get up in the morning to turn on your coffeemaker? Either a) get up and stop being a pussy or b) get one of the umpteen programmable ones, or c) just plug your damn coffeemaker into a christmas-light timer set to power up before you wake up.
Want your refrigerator to tell you when you're almost out of milk or better still, to automagically order restocks of food? LOOK INSIDE IT. Decide what you need to buy. THEN GO TO THE STORE. You'll meet actual humans there, and interact with them. I suspect there's more actual human value to that than to the supposed minutes you'll save (so you can what, play more video games? Do some more work emails?) not doing those things.
Re: (Score:2)
It all seems like utter bollocks to me anyway, but a home intranet seems even more pointless unless you live in Buckingham Palace or something. (How hard is it for a normal person to walk downs
Alternate realities (Score:3)
Internet connected toasters was supposed to be a joke highlighting the futility of perusing technological solutions to problems that don't exist.
Now we have assistant professors at Stanford acting like politicians who quote the Onion to defend their policy positions.
Go home, IoT - you're drunk (Score:2)