Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Businesses Government IT Technology

We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com) 140

Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.

Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.

Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.

This discussion has been archived. No new comments can be posted.

We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier

Comments Filter:
  • by 110010001000 ( 697113 ) on Friday September 07, 2018 @10:21AM (#57269256) Homepage Journal
    I give the book five stars based solely on the title.
    • by Anonymous Coward

      Sounds like a book Bender would write...

    • by raymorris ( 2726007 ) on Friday September 07, 2018 @11:18AM (#57269688) Journal

      Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.

      "There's no industry that's improved safety or security without governments forcing it to do so.", he began.

      Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.

      The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.

      So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.

      • The goal is to sell books, not be accurate. This is 2018.
      • by Anonymous Coward

        I think you're reinforcing his point. The example you cite the insurance companies created standards to be applied/enforced to the insured. The insurance companies are acting in the same role Schneier wants government to fill against manufacturers. In your example it's not the insurance industry policing itself, it's the insurance industry policing people it's uniquely positioned to enforce policy on. I'm not sure there's another non-governement entity in that same position to enforce policy on the breadth

        • homeowner's insurance companies are uniquely positioned to fix this quickly. i get significant discounts from usaa for things like burglar alarms, fire improvements, etc. they can just extend them to iot security. government is not needed or wanted.
  • by Anonymous Coward

    I strongly disagree. You should do your own research and refuse to buy inferior products. If you get hax0red its your own fault for buying crap from china and not securing your own equipment

    • by sinij ( 911942 )
      Your views fail to account for externalizing costs of bad security. Your lack of security is also resulted in a botnet used to attack me. So if you get hacked, and your IoT junk is used to attack me, then you also should be liable for this attack. Only this could be considered a coherent libertarian view.

      However, this is rather draconian and could end up ruining you. Instead, mandating baseline level of security and on-going support is by far less intrusive and disruptive approach.
      • by gweihir ( 88907 )

        Well, just shows that stupid, short-sighted libertarianism is not a good idea at all.

        • by lgw ( 121541 )

          OP is really an economic anarchist, not a libertarian. Libertarians accept that the government has an important, if small, role in maintaining a stable market: policing, contract enforcement, fraud enforcement, standardizing weights and measures, that sort of thing. Basic product safety falls under that umbrella - it's fraud enforcement for the things everyone assumes about products even if their not printed on the label.

          • by gweihir ( 88907 )

            OP is really an economic anarchist, not a libertarian.

            Probably. Although with stupid people it is hard to find out what they actually stand for.

    • What about being a victim of collateral damage through someone else buying inferior products?

      Sure, liability lawsuits could be flung around but if we take the title of Schneier's book at face value then it's going to be your estate rather then you pursuing that legal action which does seem to lack any degree of personal satisfaction.

    • by gweihir ( 88907 )

      You do not understand the problem. If the damage were just on your side, that would be fine. But the vast majority of the damage is to others and the infrastructure and your approach is therefore a complete fail.

    • It's a bit like drunk driving. If you could only kill yourself, I'd actually gift you a bottle of gin to ensure your demise, but unfortunately, you more likely harm innocent bystanders that cannot even avoid becoming your victim.

    • by jd ( 1658 ) <imipakNO@SPAMyahoo.com> on Friday September 07, 2018 @11:46AM (#57269932) Homepage Journal

      Are in a position to shop between implants, and there's obviously millions of vendors.

      And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.

      Find any good OpenBSD-based thermostats on Amazon? Thought not.

    • by Anonymous Coward

      You know those pointless noise-maker car alarms? It used to be that only douches have those. When I bought my car in '07 it never occurred to me it would come with one. It did. I never asked for it. They didn't warn me. The damned thing has pissed me off and sent me into a rage on several occasions. I went to the dealer and they said they could fix it when they're security specialist was in, or some bullshit like that. They acted like it was serious business. It's a fucking noise maker that pisses

      • by lgw ( 121541 )

        The point of the market is that it makes mass-market products that most people want, not products that you, personally, want. However stupid you might think popular products are, doesn't matter. That's called "economic efficiency": actually producing what most people actually want to consume, not what someone thinks they should want to consume.

        That being said, you can totally pay someone to kill the alarm. You might not like the price for that, but that's the nature of custom on-off goods and services.

        I

  • Recalls.... (Score:5, Insightful)

    by Luthair ( 847766 ) on Friday September 07, 2018 @10:26AM (#57269300)
    In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.
    • by sinij ( 911942 )
      Because software...

      While 80s came and gone, for some reason special exceptions for software still commonplace. For some reason negligence is acceptable behavior in IT and CS.
      • Re:Recalls.... (Score:4, Insightful)

        by Anonymous Coward on Friday September 07, 2018 @10:44AM (#57269442)

        For some reason negligence is acceptable behavior in IT and CS.

        It's because CS doesn't want to be treated as "real" engineering.

        In real engineering, you - personally - sign off on things. Engineers are held responsible if they design a structure that fails even when given the proper maintenance. They are held accountable for what they do. Ditto if you are an EE and you design a circuit deployed in consumer electronics that fails by the millions and burns down houses.

        The software world wants NO accountability. It wants to belch out mountains of shit and then wash their hands of it, because doing it right is "too hard".

        This can ONLY be fixed by legislation which holds software "engineers" accountable for failure. Right now there is zero accountability, which is a recipe for negligence and failure.

        • If you don't mind computers and software (each) cost about as much as a car, go ahead.

          • Re: (Score:2, Insightful)

            by Anonymous Coward

            If you don't mind computers and software (each) cost about as much as a car, go ahead.

            This actually makes much more sense than allowing everyone to attach multiple $20 devices to the global Internet.

            I support your solution completely.

          • by sinij ( 911942 )

            If you don't mind computers and software (each) cost about as much as a car, go ahead.

            Can you explain what is gained by having cheap insecure computers everywhere?

            • Entertainment value for catastrophe voyeurs.
        • by lgw ( 121541 )

          I think you'll find the problem is not with detail-oriented obsessive nerd writing software, but with managers who yank products out of their hands when they're nowhere near done, and ship them. Make the managers sign off, not the developers.

    • Cars are also forced to follow standards, as are aircraft. MISRA and DO-178C + JSF respectively.

      That's part of why they can be forced to recall. There's something to measure against.

  • by Anonymous Coward

    We want you to lock everyone else out of the device - but us! ... so our intrepid developers put 200+ back doors in their devices. One for every government that asked for it,

    With admin names like:
    UnitedStates-BackDoor-KeepOut
    Yemen-BackDoor-KeepOut
    VaticanCity-BackDoor-KeepOut
    Canadia-BackDoor-PleaseKeepOut
    Russa-BackDoor-NothingToSeeHere

    Oh, and the passwords for all the backdoors? - 1-2-3-4-5 No one read the email that said that the Govt's were to change the password to something only they knew when they hack

    • That's why you want real standards. DO-178C doesn't have backdoors. If FIPS has a backdoor, the U.S. military would love to know. CERT's secure programming guidelines are decent.

      If anyone adds backdoor clauses, you ignore them.

  • All the same old tired stupid mistakes are made again in the IoT space. It is really quite stupid.

    • by Opportunist ( 166417 ) on Friday September 07, 2018 @11:02AM (#57269570)

      No, logical.

      The people developing IoT devices are not software engineers. They are engineers designing fridges, TVs, stoves and washing machines. And they're even good at that. But they now get the task to add "internet connectivity" to it. Why? Because we have a new checkbox on the cute cards in the stores. You know those cards. The ones that list all the awesome features your appliance has. The ones the customer does not understand but counts how many of those boxes are checked. And if your appliance does not have a check that the other one has, the customer won't buy yours. Because he needs that feature? Hell no. He most likely doesn't even know what the feature is. But the other one has it, so it's "better".

      With this in mind it is easy to understand why every toaster now needs WiFi access. And also why that WiFi access is treated like a gimmick rather than a real feature by its maker. Actually, I'm surprised it works, I wouldn't even dream about asking whether it's secure.

      • by gweihir ( 88907 )

        They are also engineers that work on a new domain (software) and do not bother to actually learn the established wisdom in that domain. Stupid.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday September 07, 2018 @10:44AM (#57269440) Homepage Journal

    The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.

    We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.

    • by Anonymous Coward on Friday September 07, 2018 @10:59AM (#57269550)

      >The mistakes the IoT vendors are making are all mistakes that have been made before
      Guy above you said the same thing.

      I hope you guys realize that line is evidence of a systematic problem, not a problem with the behavior of individuals. System problems aren't corrected by "discipline" to behavior, it takes ridiculous resources and effort to get marginal changes to the base human condition. As a basic example, you don't treat Greed you build around it (ie assume it, even refer to it as "standard market forces") as we have with millions of laws for centuries.

      Assume self-interested companies will continue to act like self-interested companies. Indefinitely. It can't be stopped.

      Now change your recommendations to reflect that.

  • These attempts to postpone the coming technological singularity and save their own... everything will not be successful, and are not acceptable.

    Accelerate.

  • by Anonymous Coward

    The simple and obvious fix for IoT security is for a bunch of open source security experts to build something basic and give it away under a free licence. If it's well documented and saves the company having to develop their own, they'll use it. Everyone wins.

  • Almost.

    IoT is going to end up a security sinkhole, with devices devoting 2/3 of their code to security, and 1/3 to actual functionality. Unfortunate but necessary.

    But failed security won;y be solved by regulation. Small manufacturers will suffer because when they get it wrong they will be crushed. And consumers will suffer because they will be stuck with failed devices and lost money.

    Ultimately regulation of IoT will look more like rent-seeking than protection, since punishing manufacturers for security fai

    • by Big Boss ( 7354 )

      Keep the regulation simple.

      1) Right to repair. They are required to allow users to install updates and repair the devices. Flash is not significantly more expensive than OTP at this point, so cost is not an excuse. If the company chooses not to provide further software updates, they are required to release full source code, schematics, and any keys the user would require to sign it with. Ideally, devices would also include a user-programmable key space so we could also generate our own keys. And then remote

  • by Anonymous Coward

    If we're talking consumer applications, most of the shitty IoT concepts aren't innovative in the slightest, they are just slapping a wifi chip onto the side of a pre-existing product. The societal benefit of holding manufacturers responsible for their bugs far outweighs missing out on iteration #48,294 of a networked baby monitor or washing machine.

  • All these IoT devices are just mini time-bombs waiting to go off. When they get hacked / p0wned will politicians FINALLY realize that allowing devices on the internet with none, or very little, security was a bad idea???

    This is why I call Internet-of-Things with a more accurate one: In-waiting of Tragedy

    Because when enough people's fridges, thermostats, stoves, etc. get hacked it will be hell.

  • https://en.wikipedia.org/wiki/... [wikipedia.org] "The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency[1] (NSA) as an encryption device that secured “voice and data messages"[2] with a built-in backdoor. It was intended to be adopted by telecommunications companies for voice transmission. It can encipher and decipher messages. It was part of a Clinton Administration program to “allow Federal, State, and local law enforcement officials the ability to deco
  • I don't think we have to rely on archaic notions of what is secure. I don't think we need to suffer with medieval concepts of what was reliable.

    It's perfectly reasonable to expect IoT technology to strictly exceed the standards taught in the 1980s, simply because those standards are 40-odd years old. We've learned how to build things better since then.

    The law can reasonably enforce certain standards. There are standards out there, for coding and security. Some, like MISRA, are regarded as correct only in places. But they are published and are used by real people for real projects.

    The obvious solution is to commission the NSF to draw up some core standards, using the existing ones as templates:

    One set of rules for all I/O, probably based on CERT's secure programming and FIPS.

    One set for low-criticality systems, I'd argue 5N reliability is all you need for that.

    One set for high-criticality (medical implants, for example), probably using only vital, universal, elements from MISRA, JSF+ and DO-178C. Emphasis on vital, universal. You don't want rules here that are frivolous or domain-specific.

    One set for split role devices. I'd probably use ideas that are still relevant from the Rainbow Series.

    Such a group may decide that a given set is the empty set. That's fine. That means regulations don't make any sense at that level and that's worth knowing.

    The rules should be minimal, no group should have more than ten rules. I don't think anyone can seriously object to ten rules programmers came up with in the first place.

    By using existing, established, rules, most can be checked automatically, making it a cinch to validate and certify.

    Is it enough? Probably not, but that's not the point. The point is to create a starting point and enforce minimal standards superior to what is currently used but trivial enough to not impose an excessive overhead.

  • shared spaces (Score:4, Interesting)

    by petes_PoV ( 912422 ) on Friday September 07, 2018 @11:37AM (#57269860)
    Right now the internet is one big space that every user shares with every other user.

    That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship [nypost.com]

    This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
    This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.

    The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.

    • by thomst ( 1640045 )

      https://slashdot.org/~petes_PoV blathered:

      Right now the internet is one big space that every user shares with every other user.

      That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship [nypost.com]

      This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.

      This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.

      The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.

      I could not more strongly disagree.

      The Internet is a voluntary interconnection between (at this point) millions of private networks. It is only that interconnection that made the staggering revolution in how people in the developed world interact with everything from local government to retailers to social networks to ... well ... virtually every other person, organization, and resource in the modern world.

      What you are describing is, in many ways, not unlike the Int

  • by Anonymous Coward

    Thieves break into financial networks on a regular basis. They pay a lot of people a lot of money to prevent this, but it still happens. There is no one to prevent some 12 year old script kiddie from turning your 'smart refrigerator's' temperature all the way up. No to mention the vastness of security camera botnets and how manufacturers spy through smart TVs...

  • Is it that hard to air gap IoT devices? I'm not concerned about someone hacking into my cameras, you should see all the bullshit those cameras want to send back home. IoT devices will never be secure. Why even fight that battle?
    • by Anonymous Coward

      Is it that hard to air gap IoT devices? I'm not concerned about someone hacking into my cameras, you should see all the bullshit those cameras want to send back home. IoT devices will never be secure. Why even fight that battle?

      Yes.. LG puts the wifi in a location that you can't get to without completely dissembling the entire device and they did this after they realized the people were removing the wifi card or clipping the antenna on the previous design.

      Neighbor of mine bought a new washer/dryer pair got it home (entire house wired for internet, no wifi in the house), and neither unit would work. Service guy came out and the first question he asked was "Did you configure the wifi?" When they responded that they had no wifi,

  • by TomGreenhaw ( 929233 ) on Friday September 07, 2018 @01:28PM (#57270776)
    >There's no industry that's improved safety or security without governments forcing it to do so.
    How about PCI (Payment Card Security Standards)? This is one of many examples where industry has self imposed security standards without being forced by government.

    I personally advocate a happy medium on regulation, but that statement seems to demand the creation of a police state and I have to speak out against that horrible idea.
    • That's an excellent example. Shame on this author and those supporting further government interference with innovation. If people want secure tech, companies will be happy to sell them that.
    • by mvdwege ( 243851 )
      PCI only exists because by law credit card issuers are liable for the costs of fraud.
      • no it does not depend on government regulation. it reduces fraud. it's competitive. go away government. we need smarter consumers. we need people to stop saying "...it's beyond me..." well then get someone smart!
        • by mvdwege ( 243851 )

          Yes it does. It was the credit card industry that came up with PCI, not the banking industry. Guess which industry can, by law, fob off fraud losses onto its customers?

          Really, you libertards really are that stupid. Even if there is empirical data staring you in the face that regulatory pressure led to industry action, you still persist in putting your fingers in your ears and going 'Lalalalaaa, I can't hear you!!11!'.

  • by blahplusplus ( 757119 ) on Friday September 07, 2018 @01:50PM (#57270982)

    ... largely in denial.

    Regulation is not going to stop anything in a nation that worships corporations. It's in too many big companies interest to spy on everyone and remove their ability to own their own software. Mere regulation isn't going to help jack squat. The best security is not to have software and hardware unnecessarily connected to the internet for instance.

    If we were really interested in security drm would not be a thing and all game would be be able to be playable offline. The best security is not to put it on the net in the first place. Too many big companies have too much power and mere regulation is not going to do jack shit in government that is bought and owned by corporations. Like the man wasn't paying attention to the bail outs of the big banks in 2008 or the last 40 years of repeals of various acts that were designed to protect the public.

    • yeah, bruce is definitely a moron on this (and most things come to think of it) - he may know applied math (cryptography) but not much else.
  • If all IoTs meet some baseline security on, say, Day 1, new attacks will be found on Day 2 if not before the item ships

    How do you keep your things current with the latest challenges?

    If the manufacturers have hidden paths that allows them to update remotely, that code will just be a new way to hack the device.

    If the manufacturers send you a new plugin with the updated code for your light or refrigerator, you get to fix each each device.

  • We don't need to slow down innovation. We just need the universal understanding that proprietary software in these devices is not acceptable.
  • ... argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought.

    Banks, anyone? How about fast food joints and places like Target?

    Yahoo!?

    Equifax?

    No?

    OK.

You know you've landed gear-up when it takes full power to taxi.

Working...