Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vint Cerf: CS Programs Must Change To Adapt To Internet of Things

Posted by samzenpus on from the get-to-learning dept.

chicksdaddy (814965) writes "The Internet of Things has tremendous potential but also poses a tremendous risk if the underlying security of Internet of Things devices is not taken into account, according to Vint Cerf, Google's Internet Evangelist. Cerf, speaking in a public Google Hangout (video) on Wednesday, said that he's tremendously excited about the possibilities of an Internet of billions of connected objects. But Cerf warned that it necessitates big changes in the way that software is written. Securing the data stored on those devices and exchanged between them represents a challenge to the field of computer science – one that the nation's universities need to start addressing. Internet of Things products need to do a better job managing access control and use strong authentication to secure communications between devices."

33 of 163 comments (clear)

  1. Could they possibly come up with a dumber name? by Anonymous Coward · · Score: 2, Informative

    "Internet of things" sounds like some retarded proprietary crap from some big-name company

  2. They can teach whatever they want. by Anonymous Coward · · Score: 5, Insightful

    But until lawsuits make fixing things more affordable than ignoring the gaping holes, you're going to be playing guinea pig. That's just the free market at work.

    1. Re:They can teach whatever they want. by Cryacin · · Score: 5, Interesting

      This. A thousand times This. I have been in meetings where security has explicitly been regarded as irrelevant, where one way encrypting passwords from plaintext on the client is irrelevant, and where we can trust our employees to always do the right thing with all of our users passwords, and "what could they do with the passwords that is outside of our irrelevant application" was bandied around the room as acceptable.

      They should not be teaching the importance of such things to CS students, but much rather to the MBA's and BBus students. It's not the knowledge of the need for security amongst those that build, but the desire to pay for it from Management.

      --
      Science advances one funeral at a time- Max Planck
    2. Re:They can teach whatever they want. by mlts · · Score: 4, Insightful

      Nail, head, hit. Even if someone had a device that had obvious security failings that were unfixable, the EULA/TOS by opening it up and turning it on would ensure that lawsuits would not proceed (either by forcing arbitration, or just a clause stating that it isn't their fault, no matter what.)

      I have no interest in IoT. Realistically, what has to be on the Internet all the time and take commands? Why do we need to give devices full exposure if it isn't needed?

      If someone wants status messages from devices, why not just have devices communicate via BlueTooth to a log box, and said log box present the data to where it needs to go? This would force an intruder to have to hack that core box, then use BlueTooth weaknesses to jump to actual devices, rather than just run scripts blindly and hope someone's widget shows up.

    3. Re:They can teach whatever they want. by epyT-R · · Score: 3, Insightful

      No thanks. I don't want to be responsible for intractable problems. Security is one of those. See, in this situation the programmers would be the ones canned over any security flaw, regardless whether it's due to programming or misuse by the customer.

      Cleaning toilets is starting to sound like a great job these days. It sure beats cleaning up peoples digital toilets...err computers and networks.

      The best way to be safe from the internet of things is not to have unneeded connectivity. Anything else is a risk.

    4. Re:They can teach whatever they want. by AmiMoJo · · Score: 2

      You need to fix your consumer laws so you are not dominated by tyrannical EULAs.

      In the UK the law is quite clear. All products must be fit for purpose. If a router has security features (like a password to access the management interface, or a firewall) it must work in a typical home environment where the router was intended to be used. No EULA can change that, or take away your legal right to redress.

      If three years after buying the router there is a security hole discovered and the manufacturer does not fix it you are entitled to a refund from the shop that you bought it from. Courts typically use 6 years as the lifetype of IT equipment so the shop may offer a 50% refund based on the 3 years use you had from it. Again, no EULA can change this and the shop is responsible, not the manufacturer.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    5. Re:They can teach whatever they want. by phantomfive · · Score: 2

      Being in a EULA doesn't mean it's enforceable. You can't do illegal things, even if it's in the EULA.

      --
      "First they came for the slanderers and i said nothing."
  3. Stupid by hsmith · · Score: 5, Insightful

    You teach core and theory and you apply it to whatever the current fad is. It is preposterous for a computer science program to be geared directly to some "thing" that is currently popular or will be.

    College is about learning theory and how to apply it, it isn't a vocational program.

    1. Re:Stupid by bmo · · Score: 4, Insightful

      College is about learning theory and how to apply it, it isn't a vocational program.

      When you have a $100k bill to pay off that you can't escape through bankruptcy, you'd better have some way to pay it off. When you have a trillion dollar debt problem based upon this (see previous slashdot headlines) you have what they call a "real problem."

      What you say is a nice sentiment. It's a sentiment that was only valid 40 years ago, when a summer job every year could pay for tuition at Northeastern.

      It is also preposterous to not teach the concepts of security for devices connected to hostile environments (i.e., every network ever), and networking is not a "fad." The only people that thought that the Internet and networking in general for "the great unwashed" were fads were "futurists" like Cliff Stoll who were wildly wrong in 1995.

      http://www.newsweek.com/cliffo...

      Read that. A 30 year trend is not a fad.

      --
      BMO

  4. But why do we need the internet of things by Anonymous Coward · · Score: 2, Insightful

    What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

    1. Re:But why do we need the internet of things by ArcadeMan · · Score: 5, Funny

      Your sock drawer would know how many time each sock has been fucked, it would alert your washer to wash two cycles instead of one, it could tell your fridge to order more detergent since it's in charge of the grocery list and it could buy more sexy lingerie on Amazon for your girlfriend since you're obviously ignoring her physical needs.

      --
      Get free satoshi (Bitcoin) and Dogecoins
    2. Re:But why do we need the internet of things by LookIntoTheFuture · · Score: 3, Funny

      What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

      You won't be able to understand the upsides because you aren't part of the "today's busy idiot" demographic.

      --
      Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
    3. Re:But why do we need the internet of things by sexconker · · Score: 3, Informative

      What exactly are the upsides of having my fridge, toaster, microwave oven, sock drawer or fork connected to the internet?

      Well a smart oven can be set to cook your meal when you hit a button on an app before you head home. A smart fridge can keep track of what food you have when it expires what you use then compile meal plans and grocery lists add to it a link to your smart bathroom scale, and smart shoes to measue the amount of physical activity you have throughout the day and it it opens up dynamic dieting meal plans. A houses light and sound system could detect what room you are in and turn on and off lights and speakers as you enter/leave. Given time I could come up with more applications but those were just the first ones to pop into my head.

      You'd have to prepare the meal before hand and hope there's only one cooking step.
      Fine if you're doing boxed dinners, but useless if you want to actually cook anything.

      A smart fridge won't know when milk's gone sour before the date or when yogurt and cheese are still good a month after the date. Nor will they have a way to read the damned date on any of the brands I like. I sure as hell am not typing (or touching, or speaking) that shit in to the fridge. Nor would such a smart fridge need to be connected to the internet.

      Every single suggestion I've seen about the "Internet of Things" has been solving problems that don't exist, and it's a long, long stretch to say they're actually solving anything. If you think smart watches bombed, wait til you see how the rest of this shit does in the market.

    4. Re:But why do we need the internet of things by ArcadeMan · · Score: 4, Funny

      I got +1 insightful for that? Scary.

      --
      Get free satoshi (Bitcoin) and Dogecoins
  5. Oh yeah sure. by istartedi · · Score: 4, Insightful

    My Internet-enabled fridge needs to be developed using proper security procedures which are ummm.... not applicable to any other field such as SCADA or medical database systems that are already in place. Who's smoking the crack here, the journalists or Cerf? I'm betting it's the journalists and that he's misquoted and/or being quoted out of context. Too lazy to RTFA of course...

    --
    For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
  6. Re:Please correct me! by phantomfive · · Score: 2

    Is this really a CS thing? Isn't it an IT thing? Isn't this type of security their problem? Where CS security is at a much lower level?

    Wow, whatever you do, please at a minimum lookup "SQL injection" before ever writing a line of internet-connected production code.

    --
    "First they came for the slanderers and i said nothing."
  7. Specifics by phantomfive · · Score: 3, Informative

    If anyone wants to know what specific changes he suggests universities implement, don't bother watching the movie, he doesn't mention it. The interviewer never gives him the chance.

    The interviewer does however ask him who the mother of the internet is.

    --
    "First they came for the slanderers and i said nothing."
  8. You miss the point --- it's about security focus by Morgaine · · Score: 3, Insightful

    You teach core and theory and you apply it to whatever the current fad is.

    He's not really saying that CompSci programmes should be tailored for Internet of Things. What he's saying indirectly but perfectly clearly to those who are aware of the appalling state of networking security in recent years is that university-level tuition needs to buck up and face the music, because the people they have been releasing into the field are totally inept at designing secure systems. The hundreds of thousands of security problems spread right across the whole Internet speak for themselves.

    It's a very important message, and hopefully it will resonate with more than a few CompSci departments. IoT is just being used as an excuse for releasing a high-profile message from a respected person about the very unsatisfactory state of developer competence in the area of secure systems.

    Regarding your second point about education versus vocational training, you are right about that, but secure software design and cryptogtaphy are not subjects for vocational training, but very strongly in the domain of CompSci. You have to understand the fundamentals, not just know which functions to call.

    --
    "The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
  9. Wrong, Expectations Must Change by TrollstonButterbeans · · Score: 3, Insightful

    The most explosive *recorded* invention in the history of mankind was the printing press.

    And it set Europe on fire.

    But this led to the Renaissance.

    You can't put the genie back in the bottle.

    What is going on now with the internet and mobile devices and communication in general --- like the printing press or like radio or television --- is going to upset the status quo in 57 different ways.

    Embrace these ways, understand how they will be used for good (yes --- if you think citizens are upset, just imagine how upset tyrants and governments are --- people in power hate change) ----

    Communication advances always causes flowers to bloom --- any heartache always looks dumb and old fashioned in a decade of hindsight, because it yields new freedoms and rights that were never expected. If you doubt this, why do civil right continue to grow and governments to ever more tend to the welfare of their people?

    --
    Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
    1. Re:Wrong, Expectations Must Change by phantomfive · · Score: 2

      That's cool, but, how does your post relate in any way to the story? I'm not seeing it.

      --
      "First they came for the slanderers and i said nothing."
  10. Security and Embedded Controllers by Bing+Tsher+E · · Score: 2

    I reject, fundamentally, the idea that 'The Internet of Things' means that every device in one's home should outwardly face the Internet. There is plenty of opportunity for layering. An IP enabled refrigerator can be connected to the internet through some far more secure routing device.

    Security zoning functionality and monitoring technology for security purposes needs to see far, far more development than it does at present. Perhaps there are entities and forces out there that don't want us to have security zones and have devices on our home networks actively sniffing and moderating our internal traffic, but we certainly are entitled to that and should make it happen.

    That is what computer science programs should concentrate more on, not securing everything as if every single 'thing' is entitled to, or needs to, face the outside world on the public Internet.

  11. yes change, but ditch "the internet of things" by globaljustin · · Score: 2

    "the internet of things" is a reductive concept. It's an unnecessary abstraction layer that just puts more barriers between the programmer and the device. We should be **getting rid of** concepts like this in CS not adding them...

    **of course** CS programs have the problems TFA listed...here on /. we know CS programs have areas from improvement

    what I object to is the entire notion of "the internet of things" as being a concept worth repeating...it's a nothing phrase that just confuses people

    when educating, we need to have concrete theory not hype language

    --
    Thank you Dave Raggett
  12. He doesn't know what Computer Science is. by catmistake · · Score: 2

    Computer Science has absolutely NOTHING TO DO WITH ANY INTERNET, of "things" or otherwise.

    Computer Science needs to change its name so everyone that thinks they know what a computer is can stuff it up their ass. Because CS has nothing to do with computers, and nothing at all to do with software or programming. The "Computer" in "Computer Science" is not, I repeat, is not synonymous with the thing you call "computer" that's on your desk or lap. It means simply "calculator," i.e. one who calculates, or, precisely, that which computes, or to make it really simple for them, that which reckons. They should call it Reckoner Science. Then no one would be confused, no one would fantacize about studying it (because they just love their computer!!) when they go off to college in a year or so, and HR morons would stop requiring CS degreed Windows Administrators or help desk monkeys because that is ridiculous. Mechanics don't need Mechanical Engineering degrees, Nurses don't need an M.D., and corporate america does not need specialized mathematicians furiously installing java browser plugin security updates on all the machines on their network. Think of Computer Sciece as math... then you'll understand how stupid everyone sounds when they say anything about Computer Science. Be a programmer if you want. Programmers do not need a Computer Science degree, or any degree for that matter.

    I'm just going put this here:

    Computer Science (abbreviated CS or CompSci) is the scientific and practical approach to computation and its applications. It is the systematic study of the feasibility, structure, expression, and mechanization of the methodicalprocesses (or algorithms) that underlie the acquisition, representation, processing, storage, communication of, andaccess to information, whether such information is encoded as bits in a computer memory or transcribed engines and protein structures in a human cell. A computer scientist specializes in the theory of computation and the design of computational systems

    --
    The Admin and the Engineer
    1. Re:He doesn't know what Computer Science is. by Dynedain · · Score: 2

      Understanding the impact of how the future world of always-on, always-available, omnipresent computing interacts at a high theoretical level is not programming and absolutely does belong in the realm of science of computing.

      This isn't the realm of code monkeys, and I agree that's not what CS should teach. However, the theory of systems and interactions should be taught.

      Where does researching AI, machine learning, or organic networks fall in your narrow definition? CS is maturing as a science and researching/designing the impact and how the science is applied by the world at large is a valuable endeavor that you shouldn't be so quick to dismiss and give away to some other field.

      --
      I'm out of my mind right now, but feel free to leave a message.....
  13. He isn't wrong; but is myopic. by fuzzyfuzzyfungus · · Score: 2

    So far as it goes, what he says is true: this 'internet of things' will represent a major challenge to secure and problem if not secured; further, if the present state of security tells us anything, we sure as hell aren't prepared for it, much less what we do right now.

    Fundamentally, though, treating it as a 'security' problem is making a dangerous and conceptually limiting mistake. "Security" ensures that a system operates as intended, provides only the access and capabilities intended to various parties, and so on. It Does Not specify who those parties are. Bad news, kids, based on everything we've seen so far, and how everything that was bad on the internet is even worse on 'mobile' and so on, do you really think that even perfect security would do much more than keep small-time criminals from inconveniencing 'respectable' advertisers and subscription-service pushers?

    Unless you think that cellphones were some sort of abberation, totally different from everything else because, um, reasons; 'internet of things' is just a polite way of saying "EULAs, crypto bootloaders, 'consumer behavioral marketing', and who knows what else, baked into every device large enough to support some kind of NIC".

    Yes, Cerf is correct in that having the 'internet of things' work out slightly better than "Hey, let's sell SCADA to home users!" would be a pretty good idea; but that's not even close to good enough. 'Security' just means that the wishes of the system creater are being followed. Do you think those wishes will be to your benefit?

    1. Re:He isn't wrong; but is myopic. by Dynedain · · Score: 3, Interesting

      I think Vint gets that, and is speaking to the higher level and using "security" as an abstract generalization.

      For example, the web was explicitly developed as a "pull" technology with declarative linking by reference with public visibility. Understanding the impact of that to how you build a security model governing access presents unique challenge. By comparison, Usenet is the opposite. It's essentially a syndicated push technology, more similar to a broadcast publishing method. As a result, the security model for how people gain access to resources, and what talks to what, is handled in a very different way.

      Those are just two examples of content on today's general Internet which is an extension of Vint's work. When he talks about the Internet of Things, he doesn't merely mean the fad of sticking a web browser on a toaster. He's talking about the bigger vision of omnipresent computing and direct interaction of common devices to each other. Much like the Internet (specifically TCP/IP and DNS) was conceived as a way for computers to directly talk to each other (not going through a centralized hierarchy for approval and redistribution). We learned a lot of great lessons about how it would be used, the shortcoming, and the security ramifications. Now that we're in the fledgling stages of doing the same thing for a whole new are of automation and computing, there's great opportunity to think about and apply the lessons learned.

      --
      I'm out of my mind right now, but feel free to leave a message.....
    2. Re:He isn't wrong; but is myopic. by fuzzyfuzzyfungus · · Score: 2

      I certainly hope he does, and he's definitely sharp enough to have a better-than-average chance of doing so. I think I've just gotten a bit jumpy about this sort of talk about 'security' since the whole electronic voting machines issue showed up (and, um, never actually went away, not that you'd know that by looking). Even some people I think of as atypically clueful and competent focused on the (genuinely alarming and sometimes downright comical) security flaws in the various early systems, and paid no apparent regard to the lingering issue that even a technically perfect machine, lacking all such flaws, was only step one to solving the problem of conducting an election with computers. Time will tell, and commercial imperatives and/or malignant spooks will probably have the last word anyway...

  14. well we need to drop the need college to get jobs by Joe_Dragon · · Score: 2

    well we need to drop the need college to get jobs part / have of all the non degree classes add up to some thing.

  15. "connectivity meme" is marketing B.S. by globaljustin · · Score: 3, Insightful

    The concept is very important, as it introduces a sea change.

    For far too long, computing has been about desktops and servers. Smartphones and tablets opened it up slightly

    Yeah...just like Telegraph machines "became" telephones...and a whole ***new way of communicating*** was invented!

    You sound like a salesman...like a TED Talk...or maybe a "tech evangelist"

    First, we don't need to invent a new word to describe "sea change"...the words "sea change" or any number of synonymous phrases used daily work just fine.

    2nd, computing has ****never**** been about "just desktops and servers"

    3rd, your understanding of "computing" is fundamentally incorrect

    we design devices to accomplish user tasks...we use all available technology (and maybe invent some new stuff) mitigated by cost

    "the internet of things" is just a B.S. marketing way to say "making devices that use updated technology to its fullest"

    stop it...just stop forever...there is absolutely no reason to ever say the words "the internet of things"...or "connectivity meme"....they are redundant concepts that conjure abstractions needlessly so people who don't understand technology can think they sound smart

    --
    Thank you Dave Raggett
  16. The Internet of socket puppets by WaffleMonster · · Score: 4, Interesting

    Apparently what the Internet needs most is yet another buzzword so nebulous, context free and ill defined nobody really understands what it is your talking about.

    If "Internet of things" means home automation the technology has been around for decades yet remains a small niche market. "you can ..." scenarios are fun and cool and functional and all yet tend to impart very little useful value to the owner. I don't need or want Internet connected thermostats, light bulbs and toasters. As for security we can't even communicate securely. Email, Telephone/SMS are wholly insecure and trivially spoofed by anyone. Securing a mythical buzzword is not a problem I chose to spend my time perusing.

  17. Don't even THINK about the sock drawer... by rts008 · · Score: 2

    Ahhh, the sock drawer...

    So, it has come to this.

    If you give your sock drawer access to the internet, it will hack it's way into the means to put the Large Hadron Collider into turbo boost overdrive, all in order to rip the fabric of space-time to open a portal into Demon Murphy's demension/domain(of Murphy's Law infamy), have a Massive Black Hole FedEx'd into our solar system, and Earth would get sucked into Demon Murphy's Domain, making Hell look like Paradise.

    All to hide the true facts about all of those missing socks that we always blame on the washer or dryer.

    The upsides are a lie, to answer your questions...but remember to be especially wary of the sock drawer!

    --
    Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
  18. Re:You miss the point --- it's about security focu by Anonymous Coward · · Score: 2, Interesting

    Personally i think that you miss the point. It's not about security in the real world, it's about the economics of security. No manufacturer will put an advanced security system into dirt cheap consumable devices. It is a joke to even consider iot for most stuff. It's an '80s fantasy that just has no economical value if applied as blindly as the idea suggests.
    One of the mayor benefit of a structure like iot is agencies can spy on everything more easily. The question is why we should consider this to be something we are ok with.

  19. Who wants this? by wcrowe · · Score: 2

    Apart from a few technology companies here and there, does anyone really want the "Internet of Things"? I have yet to hear someone say, "Gosh, I wish my washing machine were internet-capable". Yes, I understand that tech firms can come up with all sorts of scenarios where they can try to convince us that this technology will be useful, but what have you really gained with an internet-ready appliance, apart from yet another vehicle for advertisement?

    --
    Proverbs 21:19