We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com) 140
Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
Click Here to Kill Everybody (Score:4, Insightful)
Re: (Score:1)
Sounds like a book Bender would write...
Yet factually incorrect from the first sentence (Score:5, Informative)
Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.
"There's no industry that's improved safety or security without governments forcing it to do so.", he began.
Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.
The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.
So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.
Re: (Score:2)
Re: (Score:1)
I think you're reinforcing his point. The example you cite the insurance companies created standards to be applied/enforced to the insured. The insurance companies are acting in the same role Schneier wants government to fill against manufacturers. In your example it's not the insurance industry policing itself, it's the insurance industry policing people it's uniquely positioned to enforce policy on. I'm not sure there's another non-governement entity in that same position to enforce policy on the breadth
Re: (Score:2)
Belts were an advertised feature, sold at Chevron (Score:2)
> Remember the introduction of seat belts? Yeah, that had to be mandated
Seat belts were a highly advertised feature. Later, it was such a popular feature that gas stations sold them for installation in order cars, much like large stations sell aftermarket cupholders today.
Here's a Chevron ad, only $5.95 for this great seatbelt:
https://www.thrillist.com/vice... [thrillist.com]
After Ford was putting the belts I all of their cars, and after owners of older cars picked up the new-style seatbelt from the corner gas station,
Cute. But no (Score:2)
That was entertaining, thanks.
Watching my young daughter has taught me some things. Such as:
> And law of torts begat liability.
Two year olds very much understand "it's your fault and I'm mad at you", liability for harms done is not an invention of government.
What I thought was interesting is that two year olds will get really mad if another two year old copies their drawing (scribble) or song. Copyright seems to be instinctual.
As a libertarian (Score:1)
I strongly disagree. You should do your own research and refuse to buy inferior products. If you get hax0red its your own fault for buying crap from china and not securing your own equipment
Re: (Score:2)
However, this is rather draconian and could end up ruining you. Instead, mandating baseline level of security and on-going support is by far less intrusive and disruptive approach.
Re: (Score:2)
Well, just shows that stupid, short-sighted libertarianism is not a good idea at all.
Re: (Score:3)
OP is really an economic anarchist, not a libertarian. Libertarians accept that the government has an important, if small, role in maintaining a stable market: policing, contract enforcement, fraud enforcement, standardizing weights and measures, that sort of thing. Basic product safety falls under that umbrella - it's fraud enforcement for the things everyone assumes about products even if their not printed on the label.
Re: (Score:2)
OP is really an economic anarchist, not a libertarian.
Probably. Although with stupid people it is hard to find out what they actually stand for.
Re: (Score:2)
What steps should a city take to efficiently open the city's rights of way to multiple water distribution companies?
Re: (Score:2)
What about being a victim of collateral damage through someone else buying inferior products?
Sure, liability lawsuits could be flung around but if we take the title of Schneier's book at face value then it's going to be your estate rather then you pursuing that legal action which does seem to lack any degree of personal satisfaction.
Re: (Score:2)
You do not understand the problem. If the damage were just on your side, that would be fine. But the vast majority of the damage is to others and the infrastructure and your approach is therefore a complete fail.
Re: (Score:2)
It's a bit like drunk driving. If you could only kill yourself, I'd actually gift you a bottle of gin to ensure your demise, but unfortunately, you more likely harm innocent bystanders that cannot even avoid becoming your victim.
Re: (Score:2)
Excellent comparison.
Because heart attack sufferers (Score:4, Insightful)
Are in a position to shop between implants, and there's obviously millions of vendors.
And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.
Find any good OpenBSD-based thermostats on Amazon? Thought not.
Re: (Score:2)
Re: (Score:2)
I'm good at computer security, competent enough to protect my home and ask probing questions before questionable devices are allowed on my home network. For some devices, I run a separate home network.
I know nothing about medical insurance. I am minimally competent at financial investing, but I certainly don't have the time to research all the options my 401K plan offers. I pay experts to identify good products for me. That is in keeping with the libertarian ethos
My car alarm would like a word with you (Score:1)
You know those pointless noise-maker car alarms? It used to be that only douches have those. When I bought my car in '07 it never occurred to me it would come with one. It did. I never asked for it. They didn't warn me. The damned thing has pissed me off and sent me into a rage on several occasions. I went to the dealer and they said they could fix it when they're security specialist was in, or some bullshit like that. They acted like it was serious business. It's a fucking noise maker that pisses
Re: (Score:2)
The point of the market is that it makes mass-market products that most people want, not products that you, personally, want. However stupid you might think popular products are, doesn't matter. That's called "economic efficiency": actually producing what most people actually want to consume, not what someone thinks they should want to consume.
That being said, you can totally pay someone to kill the alarm. You might not like the price for that, but that's the nature of custom on-off goods and services.
I
Re: (Score:2)
*one-off
Re: (Score:3)
A) Alarm.
or
B) No car.
Recalls.... (Score:5, Insightful)
Re: (Score:2)
While 80s came and gone, for some reason special exceptions for software still commonplace. For some reason negligence is acceptable behavior in IT and CS.
Re:Recalls.... (Score:4, Insightful)
For some reason negligence is acceptable behavior in IT and CS.
It's because CS doesn't want to be treated as "real" engineering.
In real engineering, you - personally - sign off on things. Engineers are held responsible if they design a structure that fails even when given the proper maintenance. They are held accountable for what they do. Ditto if you are an EE and you design a circuit deployed in consumer electronics that fails by the millions and burns down houses.
The software world wants NO accountability. It wants to belch out mountains of shit and then wash their hands of it, because doing it right is "too hard".
This can ONLY be fixed by legislation which holds software "engineers" accountable for failure. Right now there is zero accountability, which is a recipe for negligence and failure.
Re: (Score:1)
If you don't mind computers and software (each) cost about as much as a car, go ahead.
Re: (Score:2, Insightful)
If you don't mind computers and software (each) cost about as much as a car, go ahead.
This actually makes much more sense than allowing everyone to attach multiple $20 devices to the global Internet.
I support your solution completely.
Re: (Score:2)
If you don't mind computers and software (each) cost about as much as a car, go ahead.
Can you explain what is gained by having cheap insecure computers everywhere?
Re: (Score:2)
That is, in 2018 MS has nothing to do with IoT problems... other than ancient Windows XP systems that still sometimes can be found in airports and voting machines. Technically these are now classified as IoT, but they predate the term.
Re: (Score:2)
Re: (Score:3)
I think you'll find the problem is not with detail-oriented obsessive nerd writing software, but with managers who yank products out of their hands when they're nowhere near done, and ship them. Make the managers sign off, not the developers.
Re: (Score:2)
Re: Recalls.... (Score:2)
Cars are also forced to follow standards, as are aircraft. MISRA and DO-178C + JSF respectively.
That's part of why they can be forced to recall. There's something to measure against.
Govt... (Score:1)
We want you to lock everyone else out of the device - but us! ... so our intrepid developers put 200+ back doors in their devices. One for every government that asked for it,
With admin names like:
UnitedStates-BackDoor-KeepOut
Yemen-BackDoor-KeepOut
VaticanCity-BackDoor-KeepOut
Canadia-BackDoor-PleaseKeepOut
Russa-BackDoor-NothingToSeeHere
Oh, and the passwords for all the backdoors? - 1-2-3-4-5 No one read the email that said that the Govt's were to change the password to something only they knew when they hack
Re: Govt... (Score:2)
That's why you want real standards. DO-178C doesn't have backdoors. If FIPS has a backdoor, the U.S. military would love to know. CERT's secure programming guidelines are decent.
If anyone adds backdoor clauses, you ignore them.
They make the same mistakes _again_ (Score:2)
All the same old tired stupid mistakes are made again in the IoT space. It is really quite stupid.
Re:They make the same mistakes _again_ (Score:4, Insightful)
No, logical.
The people developing IoT devices are not software engineers. They are engineers designing fridges, TVs, stoves and washing machines. And they're even good at that. But they now get the task to add "internet connectivity" to it. Why? Because we have a new checkbox on the cute cards in the stores. You know those cards. The ones that list all the awesome features your appliance has. The ones the customer does not understand but counts how many of those boxes are checked. And if your appliance does not have a check that the other one has, the customer won't buy yours. Because he needs that feature? Hell no. He most likely doesn't even know what the feature is. But the other one has it, so it's "better".
With this in mind it is easy to understand why every toaster now needs WiFi access. And also why that WiFi access is treated like a gimmick rather than a real feature by its maker. Actually, I'm surprised it works, I wouldn't even dream about asking whether it's secure.
Re: (Score:2)
They are also engineers that work on a new domain (software) and do not bother to actually learn the established wisdom in that domain. Stupid.
Innovation is not the problem (Score:5, Insightful)
The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.
We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.
Re:Innovation is not the problem (Score:4, Insightful)
>The mistakes the IoT vendors are making are all mistakes that have been made before
Guy above you said the same thing.
I hope you guys realize that line is evidence of a systematic problem, not a problem with the behavior of individuals. System problems aren't corrected by "discipline" to behavior, it takes ridiculous resources and effort to get marginal changes to the base human condition. As a basic example, you don't treat Greed you build around it (ie assume it, even refer to it as "standard market forces") as we have with millions of laws for centuries.
Assume self-interested companies will continue to act like self-interested companies. Indefinitely. It can't be stopped.
Now change your recommendations to reflect that.
Re: (Score:1)
Re: (Score:2)
The Singularity will not be postponed (Score:2)
These attempts to postpone the coming technological singularity and save their own... everything will not be successful, and are not acceptable.
Accelerate.
Re: (Score:2)
Re: (Score:3)
Because people noticed that they get killed in death trap cars. Unfortunately, insecure IoT bullshit hurts pretty much everyone BUT the idiot that runs it.
I still say the drunk driving comparison is apt, usually the asshole wino survives the crash while the pedestrian he mows down does not.
Re: (Score:2)
usually the asshole wino survives the crash while the pedestrian he mows down does not.
Far more drunk pedestrians are killed by sober drivers than vice versa. Pick a different example.
Re: (Score:2)
They're not the problem, they are at least responsible for it themselves.
Proactive vs Reactive (Score:3)
Yes, you can find examples of industries that improve safety reactively as a marketing ploy in response to bad press from an unfortunate incident (for example, tamper-proof packaging after the
Companies Are Lazy. Leverage That. (Score:1)
The simple and obvious fix for IoT security is for a bunch of open source security experts to build something basic and give it away under a free licence. If it's well documented and saves the company having to develop their own, they'll use it. Everyone wins.
Regulation is almost pointless (Score:2)
Almost.
IoT is going to end up a security sinkhole, with devices devoting 2/3 of their code to security, and 1/3 to actual functionality. Unfortunate but necessary.
But failed security won;y be solved by regulation. Small manufacturers will suffer because when they get it wrong they will be crushed. And consumers will suffer because they will be stuck with failed devices and lost money.
Ultimately regulation of IoT will look more like rent-seeking than protection, since punishing manufacturers for security fai
Re: (Score:2)
Adding actual security features to your code inevitably increases code and complexity. It's both unavoidable and necessary.
Now, best practices in code may help with security. Sure, both efforts are necessary.
Re: (Score:2)
Keep the regulation simple.
1) Right to repair. They are required to allow users to install updates and repair the devices. Flash is not significantly more expensive than OTP at this point, so cost is not an excuse. If the company chooses not to provide further software updates, they are required to release full source code, schematics, and any keys the user would require to sign it with. Ideally, devices would also include a user-programmable key space so we could also generate our own keys. And then remote
"Innovation" (Score:1)
If we're talking consumer applications, most of the shitty IoT concepts aren't innovative in the slightest, they are just slapping a wifi chip onto the side of a pre-existing product. The societal benefit of holding manufacturers responsible for their bugs far outweighs missing out on iteration #48,294 of a networked baby monitor or washing machine.
IoT devices = In-waiting of Tragedy devices (Score:2)
All these IoT devices are just mini time-bombs waiting to go off. When they get hacked / p0wned will politicians FINALLY realize that allowing devices on the internet with none, or very little, security was a bad idea???
This is why I call Internet-of-Things with a more accurate one: In-waiting of Tragedy
Because when enough people's fridges, thermostats, stoves, etc. get hacked it will be hell.
That's called the Clipper Chip (Score:2)
Security and reliability are areas of innovation t (Score:3)
I don't think we have to rely on archaic notions of what is secure. I don't think we need to suffer with medieval concepts of what was reliable.
It's perfectly reasonable to expect IoT technology to strictly exceed the standards taught in the 1980s, simply because those standards are 40-odd years old. We've learned how to build things better since then.
The law can reasonably enforce certain standards. There are standards out there, for coding and security. Some, like MISRA, are regarded as correct only in places. But they are published and are used by real people for real projects.
The obvious solution is to commission the NSF to draw up some core standards, using the existing ones as templates:
One set of rules for all I/O, probably based on CERT's secure programming and FIPS.
One set for low-criticality systems, I'd argue 5N reliability is all you need for that.
One set for high-criticality (medical implants, for example), probably using only vital, universal, elements from MISRA, JSF+ and DO-178C. Emphasis on vital, universal. You don't want rules here that are frivolous or domain-specific.
One set for split role devices. I'd probably use ideas that are still relevant from the Rainbow Series.
Such a group may decide that a given set is the empty set. That's fine. That means regulations don't make any sense at that level and that's worth knowing.
The rules should be minimal, no group should have more than ten rules. I don't think anyone can seriously object to ten rules programmers came up with in the first place.
By using existing, established, rules, most can be checked automatically, making it a cinch to validate and certify.
Is it enough? Probably not, but that's not the point. The point is to create a starting point and enforce minimal standards superior to what is currently used but trivial enough to not impose an excessive overhead.
Re: (Score:2)
We can require everyone to use formal methods, but don't expect any updates to OpenSSL/LibreSSL this decade.
It would cost $2.4 billion to reduce the bug density in the Linux kernel to 0.00045 or less and keep it there for a year.
Current status: https://scan.coverity.com/proj... [coverity.com]
That's very nearly bug-free. It would actually be 100% bug-free in all components that don't require features that are inherently unreliable. The government could afford it, most corporations could not.
I would actually like that for
Re: (Score:2)
shared spaces (Score:4, Interesting)
That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship [nypost.com]
This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.
The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.
Re: (Score:3)
https://slashdot.org/~petes_PoV blathered:
Right now the internet is one big space that every user shares with every other user.
That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship [nypost.com]
This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.
The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.
I could not more strongly disagree.
The Internet is a voluntary interconnection between (at this point) millions of private networks. It is only that interconnection that made the staggering revolution in how people in the developed world interact with everything from local government to retailers to social networks to ... well ... virtually every other person, organization, and resource in the modern world.
What you are describing is, in many ways, not unlike the Int
Good riddance to the 'Internet of things' (Score:1)
Thieves break into financial networks on a regular basis. They pay a lot of people a lot of money to prevent this, but it still happens. There is no one to prevent some 12 year old script kiddie from turning your 'smart refrigerator's' temperature all the way up. No to mention the vastness of security camera botnets and how manufacturers spy through smart TVs...
Air Gap (Score:2)
Re: (Score:1)
Is it that hard to air gap IoT devices? I'm not concerned about someone hacking into my cameras, you should see all the bullshit those cameras want to send back home. IoT devices will never be secure. Why even fight that battle?
Yes.. LG puts the wifi in a location that you can't get to without completely dissembling the entire device and they did this after they realized the people were removing the wifi card or clipping the antenna on the previous design.
Neighbor of mine bought a new washer/dryer pair got it home (entire house wired for internet, no wifi in the house), and neither unit would work. Service guy came out and the first question he asked was "Did you configure the wifi?" When they responded that they had no wifi,
I Call BS (Score:3)
How about PCI (Payment Card Security Standards)? This is one of many examples where industry has self imposed security standards without being forced by government.
I personally advocate a happy medium on regulation, but that statement seems to demand the creation of a police state and I have to speak out against that horrible idea.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Yes it does. It was the credit card industry that came up with PCI, not the banking industry. Guess which industry can, by law, fob off fraud losses onto its customers?
Really, you libertards really are that stupid. Even if there is empirical data staring you in the face that regulatory pressure led to industry action, you still persist in putting your fingers in your ears and going 'Lalalalaaa, I can't hear you!!11!'.
Re: (Score:2)
Re: (Score:2)
Bruce is... (Score:3)
... largely in denial.
Regulation is not going to stop anything in a nation that worships corporations. It's in too many big companies interest to spy on everyone and remove their ability to own their own software. Mere regulation isn't going to help jack squat. The best security is not to have software and hardware unnecessarily connected to the internet for instance.
If we were really interested in security drm would not be a thing and all game would be be able to be playable offline. The best security is not to put it on the net in the first place. Too many big companies have too much power and mere regulation is not going to do jack shit in government that is bought and owned by corporations. Like the man wasn't paying attention to the bail outs of the big banks in 2008 or the last 40 years of repeals of various acts that were designed to protect the public.
Re: (Score:2)
Baseline Security isn't good enough -- Nothing is (Score:1)
If all IoTs meet some baseline security on, say, Day 1, new attacks will be found on Day 2 if not before the item ships
How do you keep your things current with the latest challenges?
If the manufacturers have hidden paths that allows them to update remotely, that code will just be a new way to hack the device.
If the manufacturers send you a new plugin with the updated code for your light or refrigerator, you get to fix each each device.
We don't need to quell inovation... (Score:1)
Just connected gadgets? (Score:2)
... argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought.
Banks, anyone? How about fast food joints and places like Target?
Yahoo!?
Equifax?
No?
OK.