Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com) 85
"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com:
You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...
"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."
"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."
Yep, that's the entire point (Score:1)
Once again, everyone's threats, concerns, and "dire warnings" mean absolutely zero. It will happen and there is nothing anyone can do about it.
Re: (Score:1)
Yup, which is why there are no IOT products in my home. No smart meters, no nest thermostats, just ethernet cable and firewalls. So the rest of you can frig off in a handcart to hell and if I am not run over by a self driving bus you morons can debug the stuff for me. Bye!
Re: (Score:2)
Re: (Score:2)
I had email in 1986 punk :-)
Bruce Schneier ... (Score:1, Insightful)
... is an idiot in this instance when it comes to calling for legislation for IoT. The whole problem is humanity did not evolve to make rational decisions in a high tech free market society, no amount of legislation is going to overcome human's old meaty brain. Just like banks got bailouts because they own the government, any legislative body in america will quickly succumb to regulatory capture making the whole thing worthless. Not only that the internet is planet wide, you need co-operation with foreig
Re: Bruce Schneier ... (Score:3)
Yep. He needs to remember the old adage: be careful what you wish for; you might get it. He says see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation.
Stupid is what he's going to get.
Re: (Score:3)
Car and truck regulations, plane regulations, food and drug regulations, OHSA regulations, financial regulations, etc.
Without them, you'd be dead.
Re:Bruce Schneier ... (Score:4, Informative)
Re: (Score:1)
It's not Scheier's (or Hawking's, Musks', Gates', Berners-Lee's etc) job to figure out how to convince Trump and other government leaders to act responsibly. These people aren't politicians, although you could argue that Musk and Gates have developed some political skills.
Nobody can see the future with clarity, but these gentlemen clearly deserve to be heard, based on their track record, exposure to cutting edge research and researchers and innovating scientists and engineers. Maybe they're way off; but m
Re: (Score:2)
Bruce Schneier is a 'cryptography journalist.' He has no credentials beyond writing a controversial book over a decade ago about Cryptography and leveraging it into a career as a 'cryptography expert.' He is not a cryptographer, and thus not a 'peer' in the peer review process.
Well, maybe he's an 'expert' in journalistic/writer terms. Just like a blogger about Geology is a blogger about Geology.
Re: Bruce Schneier ... (Score:1)
He invented the Blowfish cipher. How is he not a cryptographer?
Re: (Score:1)
I read your entire post AC. I'm still waiting for your solution to this problem. Is it to let it all crash and burn? Seems better than a suggestion by Bruce Schneier.
Economics (Score:3, Insightful)
>But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning.
I highly doubt regulation will cause many iot companies to take security seriously, unless it has some teeth. And then regulation becomes a barrier to entry for smaller companies, so there would be fewer IoT sellers, and maybe that's a good thing according to Schneier.
Re: (Score:3)
In practice we're going to get 'best-practices' checklists that they check off (self-certified), which are so overspecific (and quickly out of date) that huge classes of vulnerabilities will be completely unaddressed, and others will be 'addressed' inadequately. What we NEED is a provision that if anyone manages to find a vulnerability that grants unauthorized entry, all units must be recalled and installed units shall be refunded (oh and the consumer gets to keep the installed unit). That'll guarantee a ba
Professionalize computer science (Score:5, Insightful)
Re: (Score:2)
those engineering activities are/will be moved to India. You need to hold upper management accountable.
Re: (Score:2)
those engineering activities are/will be moved to India. You need to hold upper management accountable.
People keep repeating this shit over and over. Some of it goes offshore. Some does not. And new stuff certainly doesn't, at least not until it gets mainstream.
It will change once China and India become more entrepreneurial and innovative (it's not a matter of IF but WHEN). But for the time being, and for a good while, roll with the punches and stay ahead of the curve. If you do the same job after 5-10 years, expect your work to go to wherever.
Re: (Score:2, Funny)
Re:Professionalize computer science (Score:5, Funny)
No, but maybe John von Neumann.
Re: (Score:3)
The scale of new bridges, road, buildings, power systems, etc. are dwarfed by computer science applications (those that do not involve new bridges, etc.) To expect the same level of standards is silly. That said, I wouldn't mind better legal ramifications for building something flawed.
Re: (Score:3, Insightful)
Until there is liability for poor designs and implementation there will be changes to improve quality and security.
Show me the equations that show if a bridge will hold up. Fine, those are well-known.
Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm, so that a Computer Science "Engineer" can place his professional stamp on one. And remember, nobody will buy Windows that takes thirty years to get out the door at six-thousand bucks a copy.
Really, though, do y
Re:Professionalize computer science (Score:4)
Show me the equations that show if a bridge will hold up. Fine, those are well-known.
Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm,
There is a reasonable interim step where the programmer proves that they utilized best practices. In some fields there are actually published standards, like say for people making PCMs for automobiles. Toyota got nailed on the unintended acceleration issue largely because they made no attempt to follow industry best practices or even their own internal practices, and their code had numerous bugs which should have been considered show-stoppers as a result. The code was so bad that it would regularly crash and fall back into an internal failsafe mode, and if they had followed best practices, it would have at minimum recovered itself to a sane state, which was not what happened.
Re: (Score:3)
With that said, not having a way to guarantee that your software is secure is no excuse for not exercising established security practices. They may not provide a 100% guarantee but it's better than nothing. A lot of the hacks of IoT equipment that we've been hearing so much about were possible because of inexcusable negligence on the part of the manufacturer.
Re: (Score:2)
There is no IoT .
There is only Zuul.
A separate "net" should be required for devices, a real IoT. Non-upgradeable net-connected devices is a bad idea. Have we not seen enough of this already?
That still doesn't protect the IoT from being taken down by it's own.
Do I have to register my arduino? (Score:2)
Re: (Score:2)
Of course I have servos connected to the arduino (and also to my rpi through an ssc-32). I also have random sensors, depending on what I'm playing with at the time. My ip is public enough to have been crawled by google.
I figure they make it a requirement to be a registered device to connect to the internet and hack some IP payload space to hold the registration number (I've done this before and is very easy).
Together, allegiance or death (Score:2)
Easy fix (Score:4, Insightful)
Don't buy IoT devices. Problem solved.
Everybody knows they offer marginally beneficial services to the user, and massive surveillance and privacy invasion opportunities for big data, unconstitutional government agencies and other sumbitches.
Re:Easy fix (Score:4, Insightful)
I don't think that 'everybody' knows this. Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.
Re: (Score:2)
Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.
Heck, even on Slashdot, where you'd expect people to be better informed and more concerned about privacy, lots of posters still have gmail addresses, Android phones (with location services enabled, no less) and use Google search and docs.
Re: (Score:2)
Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.
Heck, even on Slashdot, where you'd expect people to be better informed and more concerned about privacy, lots of posters still have gmail addresses, Android phones (with location services enabled, no less) and use Google search and docs.
Because IoT botnets != a gmail account or even an Android phone. IoT can be a privacy issue if you don't want the three letter people knowing the temperature in your basement. If you are actually concerned about privacy of the sort of things you do on the internetz, you wouldn't be on the internetz. Peace out.
Re: Easy fix (Score:5, Insightful)
That can be done now. Give it a few years, you won't be able to buy anything that is not made to be connected. Peer pressure, obsolescence and convenient buyback programs will take care of the reticent. It's a done deal.
Re: Easy fix (Score:5, Interesting)
Half of the water heaters at Home Depot have electronic control panels, and a good chunk of those have WiFi capability.
Do you trust Rheem or AO Smith to have enough IT security people available to know how to set the default state of these controls so that they're not exploitable?
Re: Easy fix (Score:5, Informative)
The thing is, as long as people pay for their own internet themselves, they're in complete control of what gets to connect to their wifi. So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless. And should they ever come with their own connectivity solution that bypasses the users' router completely, well... it's always possible to encase it in a Faraday cage of some sort.
As for trusting manufacturer with IT security, that's not the only problem: even if they're serious about it and actually qualified to secure your device properly, personally I'm more concerned about what they do with my data - how they snoop on my habits, how they intend to misuse that data, or whom they intend to sell it to.
If there's a buck to be made, company won't even consider moral or ethical use of the data they collect. That's the only thing you can bet on with big data.
Re: (Score:2)
I wouldn't touch any IoT thing that could get hot or explode with a borrowed bargepole, but my understanding is that a lot of them can only be operated via the manufacturers' sites.
Re: (Score:2)
Meraki water heaters from Cisco!
Re: (Score:3)
Unfortunately my water heater uses my house's pipes as an antenna. I tried putting up Faraday cage wallpaper (even on the ceiling!), but am unsure what to do about the windows. Oh well, no windows means more privacy, right? Now I'm just worried that I didn't layer enough aluminum foil on the basement floor to stop the mole-drones from snooping on me. Stop trying to hack into my precious, life-giving water! I paid for that, mole-drones, not you! Well, my mom did, but still.
Re: (Score:2)
Unfortunately my water heater uses my house's pipes as an antenna. I tried putting up Faraday cage wallpaper (even on the ceiling!), but am unsure what to do about the windows.
Aluminum screens, compatriot! As long as the mesh is small enough, you can block the insidious radio frequencies of those who would steal your vital bodily fluids.
Re: (Score:2)
Did you try using PVC on the cold side and CPVC on the hot side to act as short couplers to isolate the water heater from the copper plumbing?
Also don't forget to put a PVC fitting on the emergency valve.
Re: (Score:2)
Don't buy IoT devices. Problem solved.
Stick your IoT devices behind a firewall and heavily restrict or even deny Internet access but allow LAN access. Problem solved.
You want to consult what's inside your wifi enabled refrigerator while bored at a movie? You can't. Deal with it.
Re: (Score:2)
Unless you are in your dotage and your health monitor phoning home regularly is your lifeline to continued existence.
Dial "F" for Frankenstein (Score:2)
TFA immediately made me think of the Arthur C Clarke story in which the "first cries" of the unintentionally created artificial intelligence that arose from the hook up of a world-wide telephone exchange was that every phone around the world rang at the same time.
What will it be for us? All the refrigerator doors on the planet opening at the same time?
Re: (Score:3)
Security cameras simultaneously turn off. The UK is particularly affected.
Thomas Hobbes' Leviathan (Score:1)
Two Faces of Tomorrow (Score:2)
James Hogan imagined the next step of the world wide network in "The Two Faces of Tomorrow". Including how it could affect the outside world -- the mass driver was great.
I see it as a choice ... (Score:2)
I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation.
SPOILER: stupid government regulation wins. There's no money to be made in "smart." If it just works, everybody forgets. if it's always breaking, the recriminations and money trail goes on for years and years.
(GOD I'm getting cynical in my old age.)
Re: (Score:2)
It is not one giant robot! (Score:5, Insightful)
Schneier gives kind of a "shouting at clouds" vibe. The Internet is not like a truck you load things into or off of, it's not a series of tubes, it's not one giant robot that will turn into Skynet once it achieves sentience.
Internet Green is people! Wait, still the wrong movie, but closer.
The Internet is made up of billions of devices, each with different capabilities, each with their own purpose and "goals", influenced by others in its social network. Some of these influencers are nearby, some are far away; some are humans, some are machines. Some of these machines are robust against malicious interference, but most have weak points.
The Internet does not look or act like a single robot. It looks and acts like a network or society, not a monolithic entity, and talking about it as a monolithic thing encourages unwise reactions.
Re: (Score:2)
The Internet does not look or act like a single robot.
Ever heard of the Mirai botnet? Seems to act pretty much like a single robot and it's pretty effective at taking stuff down. And according to Schneier, we ain't seen nothin' yet.
Re: It is not one giant robot! (Score:3)
What fraction of a percent of the Internet did that consist of?
The diversity of IoT devices means that you'll need different attack vectors and payloads to compromise then and then exploit that access. We must not be complacent, but pretending there will soon be a Skynet is unwarranted and counterproductive.
More proof Schneier has been turned. (Score:1)
Just in case anyone was suspicious after he came on the Tor Project board after the big executive shakeup there.
The call for more regulation won't help with security problems, it will exclude even more people with the knowledge but not the degrees, and it doesn't solve the fundamental issues, most of which are based in design errors or assumptions in the hardware or software which should be fixed and formally proven, as was done in the secure L4 kernel concept. Short of that software will still be at the me
IOT's Creators Are Clueless - Totally Clueless (Score:5, Insightful)
Re: (Score:2)
I'll bet the idiots at the top of the engineers company are thinking corporations as government and how great that will be, for them (psychopaths creating a world where their insanity is the norm).
Re: (Score:3)
I hope that after your conversation you removed said engineer from the gene pool.
Re: (Score:1)
"It is difficult to get a man to understand something when his salary depends on his not understanding it" - Upton Sinclair circa 1935
Re: (Score:1)
I had a 2 hour conversation last year with an IOT devices engineer who works for a multi-billion dollar Japanese Corporation. They guy didn't think Privacy was important or at risk at all through IOT devices. "Every home will have many of them soon" he said. He thought that realtime 3D face recognition - CCTV networks being able to identify you ANYWHERE IN PUBLIC with great accuracy even if you are not facing the camera, have grown a beard or are wearing a baseball cap - was a great step forward in human technological development.
It was you who were unable to understand another culture, much the same way that engineer is unable to understand what you are worrying about.
(Disclaimer: I am not Japanese, but I am living in East Asia and have quite a bit of contact with Japan culture)
Firstly, Japanese mostly believed their government to be mainly benevolent, i.e. their country was not built upon overthrowing/separating from a larger empire. It might be somewhat corrupt (as money-grabbing), but that is very far from having any intend to h
Re: (Score:3)
...If you think any legislative solution won't be perverted by mega corps to fuck people over even more your a delusional tool.
Even more delusional is you thinking you still have a chance at winning.
When 99% of the population is being tracked and you choose "not to play", you will be playing by default as the anomaly. You will be easily tracked because you will stick out and it will be rather obvious.
Many people have already accepted this fact, which is why attempting to regulate some constraint around it is the next logical step. If you must live with a monster, then you'll at least try and put it on a leash.