Slashdot Mirror
Bruce Schneier: IoT + DMCA = More Monopolies, Limits On Consumer Choice (theatlantic.com)
New submitter OldMan17 writes: On Dec 24, while many of us were busy in a frenzy of commercial excess and socially-conditioned good cheer, The Atlantic published an article by Bruce Schneier predicting that the IoT will be abused in conjunction with DMCA to make our lives worse instead of better. Some of the precedents he cites are old news, but I expect we will have a lively debate in the comments as to whether the over-arching conclusion is justified by his arguments. When everything is online, laws made for "the internet" suddenly apply to everything.
Which places even more limits on Consumer Choice.
https://wikileaks.org/tpp-ip3/
web site take-downs without court orders?
Illegal to modify devices you own?
etc.
The Internet of Things (IOT) is being driven by commercial interests that are more interesting in spying (known in commercial circles as marketing) and in control. Benefits will accrue, but they will not accrue to the people paying for the gear, which makes the IOT value subtracting for the average citizen.
Internet of Things devices could watch me while I sleep.
So does Santa Claus... So be good, for goodness sake!
“He’s not deformed, he’s just drunk!”
His example of the Hue dustup was a poor, poor choice as example there.
1) Hue bulbs use ZigBee Light-Link Profile.
2) The bulbs (all of them...ALL OF THEM in the IoT space right now) cannot be re-flashed.
3) In order to get a permanent private key for each SKU shipped using ZigBee LL Profile, the devices must conform to the spec and properly interoperate. So, they can't dink with the bulbs, period.
4) The only place you can even possibly DO what Phillips attempted to do would be to dink with the final phases of the LL handshake, wherein the coordinator (the gateway puck) would allow federation with the mesh or not at the last part of the process, based on manufacturer and manufacturer ID, and just drop the federation request on the floor if it didn't match the list.
5) It's not DRM, per se. Worse, it's NOT compliant with the ZigBee spec. Not sure how the Consortium would handle a revocation of things like that, but the Coordinator in that configuration no longer complied with the spec (which is to allow Home Automation and Light-Link protocol devices ONTO that mesh and be able to control them, period.
6) Better yet, there were competing products (Iris, Wink, etc.) that could work with Phillips' crap because of the ZigBee spec. While some of them don't have an "API" to drive it via PC, some do- and moreover, some of them let you have ZB and Z-Wave light controls signal lights on and off or to federate clusters of bulbs with a control panel that acts like a Light Switch. Phillips just simply cut their own throats by trying this. People can go buy up their RGB bulbs or Osram's...and get the same basic functionality as Hue provided...for less money in most cases.
General purpose computers are on their way out. One decade or less and you won't be able to buy one. With no spare parts, those still existing will stop working very soon. But way before that happens you won't be able to connect to the internet without a "certified" device. This will happen. There is no way to stop it.
Most people don't want nuance on the extent they own the goods they buy. This horse shit about you owning the physical properties, but licensing the software that is essential to its function is going to drive a deeper wedge between the public and IP than the corporate sector realizes. When your property rights become antithetical to mine, guess whose rights I'm going to choose...
Internet of Things devices could watch me while I listen to the Backstreet Boys.
You sick bastard, the Backstreet Boys? Really?
Off with your head.
Just cruising through this digital world at 33 1/3 rpm...
But at least the old fatso doesn't rat you out.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You definitely don't need a frigging Internet connected LIGHTBULB.
I have a few frigging Internet connected lightbulbs, and while they are not "needed", they are certainly convenient. The bulb on my porch is controlled by an IoT motion detector, which also triggers an IoT camera, and sends an alert to my cellphone. The bulb in my kitchen is integrated with both a motion detector, and my Amazon Echo, so I can control it with voice. I save electricity, have better physical security, and I no longer have to get up on cold winter nights because my wife hears a noise. If the motion detector hasn't triggered, then I ain't gettin' up.
I really wish we could find out.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Hue bulbs (or Zigbee/Z-Wave enabled bulbs in general) aren't connected to the Internet. They are connected to a hub, which may or may not be connected to the Internet depending on the brand and on your home network setup. And this problem is not unique to home automation or IoT stuff. It's simply a manufacturer promising interoperability with other brands (by subscribing to the Zigbee / LightLink protocol), and then breaking that interoperability.
If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
White People Problems
Regardless of whether you're a white, black, brown, or pink-and-purple-polkadot, Mister Anonymous Coward, you are a racist and therefore part of the problems here in the United States just because you put things in those terms. I'm dead serious. The Human Race in general needs to get over this sort of shit, and if you're black? You need to stop perpetuating your own racial stereotypes, and you need to stop your own anti-white racism, because all you're accomplishing is perpetuating the vicious cycle of racism all around; knock that shit off.
ALL lives matter, not just Black lives, and anyone who doesn't agree with me can GO FUCK THEMSELVES.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Here is where things get nefarious. IoT are like social networks. In the past, you could just tell people where to stick it when they talked about their livejournal, MySpace, or Orkut stuff. However, if one doesn't have a LinkedIn account, FB account, and a Twitter account, you will be turned down for jobs.
I know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.
IoT has the potential for being just like that. For example, the Bluetooth deadbolt. It might be that apartment managers and other landlords install IoT security devices because it makes their job easier to lock out tenants being evicted, know who is going into a tenant's place, or to let maintenance in on a schedule regardless if the tenant wants it or not. For more flexible for the property owner, and the tenant would have no choice in the matter.
Insurance can also demand IoT devices, say CCTV monitoring and file storage, or IoT deadbolts and other devices so they can be assured that a property is secured when the owners are away. If this isn't done, they won't renew the policy.
Then, there is the phone home aspect. Pull the internet connection on a modern console, it halts. I wouldn't be surprised if a future HDCP spec that requires all devices to authenticate with a central server for a healthcheck every so often, would require that all TVs and such be always on and in communication. As per the EULA of the TV, video and audio would also be sent back for "IP enforcement purposes". If someone disagrees with that... well, good luck with the no-sue arbitration agreement they agreed to...
Next comes devices. Take the refrigerator for instance. Good luck trying to find a completely mechanical one with a thermostat and compressor that runs for decades. Most have various computer controls. It wouldn't be surprising that IoT functionality is important, and no network connection means the device does not function, especially if the fridge maker starts demanding license keys to activate the ice maker, crisper section, and such.
The key is to not just avoid buying IoT shit, but make it -damn well known- that you will never buy that because you don't want another route an intruder can trespass into your home. Because IoT security is so weak, and there is zero incentive for companies to actually do something about it, it needs to die on the vine.
You provide consumers value in order to justify purchasing. Otherwise they deserve to go out of business. Companies aren't owed our money.
Yeah, because non white people don't buy the same damn products.
The trouble with ZigBee is that "ZigBee compliant" doesn't mean different devices will actually work together. Z-Wave, a more restrictive and more proprietary system, actually works better. And that illustrates what's wrong with Schneier's reasoning: forcing platforms and protocols to be open does not necessarily make life easier for consumers, because something being proprietary can result in better user experiences, as the owner of that technology has a stronger financial interest in policing it. Apple devices are another example of this. Many technologies that we now think of as "open" started off as proprietary.
Nevertheless, I think the DMCA is overreach and unnecessary: there shouldn't be legal penalties for reverse engineering or making compatible implementations. On the other hand, we should also not mandate open protocols and not scream bloody murder every time someone comes up with a proprietary system or puts up barriers to interoperability.
As for home automation, there is no "monopoly" and no sign of one: there are a dozen different standards, some open, some mildly proprietary, and some completely proprietary, plus hundreds of vendors. Let the market decide which model works best. I don't think it will be full ZigBee, because that "standard" is a mess.
That's the day you stop using the net and actively work against its tendrils infecting your life.
Don't fucking buy this Internet of Things, crap.
Don't trust that you aren't getting screwed in the deal. Don't trust that your security isn't being left up to some greedy asshole of an MBA. Don't trust that it isn't designed first and foremost for analytics and ads to make even more money for those greedy assholes.
Stop buying into this garbage, you don't need your damned phone to be able to control your lights.
Feel like you're getting screwed in the process? Don't play the game.
Millions of people every day go through their lives without needing a bloody app for this shit. Stop worshiping technology and realize just what this stuff is ... marketing hype made by lazy, greedy idiots who don't give a crap about you.
Lost at C:>. Found at C.
Amazon cloud box != general purpose machine under user control. For now, they let you run pretty much what you want, but that can change at any time.
Then in exchange for "convenience" (although your setup sounds ridiculous) you give away your rights.
What "rights" have I given away?
$600 a year for years, and it comes with a kill switch. No thanks. I like knowing my tools will stay in the toolbox where I put them last and I don't like paying over and over for them.
You could use a centralized control box for bog standard lamps and cams, too, and get the same functionality. You can also tell your 21st century empowered wife to get up off her lazy ass and check out the noise, but that would require you to have some balls.
Frank Herbert wrote a series of novels and short stories about a future in which the Government had become efficient, and because of that, sorely oppressive. In order to restore basic freedoms, a Ministry of Sabotage was instituted, whose job it was to throw wrenches into Government projects, especially ones that intruded into the basic freedoms of the populace.
Edward Snowden comes to mind...
Don't take life too seriously; it isn't permanent.
The internet of things, to me, is a set of devices and items that are connected to a network and are accessible to me via my own services, should I choose to have them. A network connected fridge that can signal that it is warm on my LAN to have said signal picked up by my HA unit which then messages me is what I envision. No where in that vision does my LAN even need to be connected to the internet proper. In fact, I'd be most happy if my HA LAN was not connected to the internet in any way.
Of course, such a vision follows more along the lines of SNMP LAN type operations, with a standard messaging format being all that's required. A device is compatible with the protocol, and we're good to go. I don't need a $10 / month service to let me visualize my freezers power usage.
The cesspool just got a check and balance.
You definitely don't need a frigging Internet connected LIGHTBULB.
I have a few frigging Internet connected lightbulbs, and while they are not "needed", they are certainly convenient. The bulb on my porch is controlled by an IoT motion detector, which also triggers an IoT camera, and sends an alert to my cellphone. The bulb in my kitchen is integrated with both a motion detector, and my Amazon Echo, so I can control it with voice.
News flash. Motion detectors do not need the fucking internet to work. They just need motion.
I save electricity.
$20 on your electric bill? Well at least we know what it costs to buy your privacy. Good to know it's this cheap for the average citizen.
, have better physical security, and I no longer have to get up on cold winter nights because my wife hears a noise. If the motion detector hasn't triggered, then I ain't gettin' up.
So, all I have to really do is disable your motion detector. After all, you have "better" security by ignoring it if specific triggers aren't hit.
...but that would require you to have some balls.
He does, but they're connected to the Internet.
It must have been something you assimilated. . . .
Tl;dr: https://xkcd.com/605/
Actually you misunderstand. Let me provide you with a point, As the demand for internet connected cars increases, you assume it will continue to increase. This is a logical fallacy. Imagine that the rate has increased 1% per year for the last 20 years and is now at 70%. Over 30 years you would expect the trend to continue to 100%. But why stop then? After 40 years you would have 110% demand, which is impossible.
There will be internet-less cars forever. They may decrease in prevalance, but they will remain. If 5% of the population wants an internet-free vehicle and 70% of vehicles are internet powered, that 5% demand has no effect on the market. But as soon as 96% is reached that leaves 4% of cars internet-free, while 5% of consumers want them. This will cause a price spike in internet free cars and car manufacturers will increase production to reach equilibrium with demand.
I think the SDOs (ISO, ANSI, IEEE, etc) made a fundamental mistake when they decided to accept patented technologies as part of formal (de jure) standards.
If I were King, the FRAND license cost for any patent that appears in a de jure standard would be $0. If the patent-holder won't give up the rights, then the technology should not appear in a standard. Now that clearly would restrict what can be standardized, but that's a tradeoff that both society and patent holders should accept.
(And technology R&D funded by governments should be royalty/license free. DoD certainly used to do that, and look at the advantages -commercial companies- have gotten from the fact that the basic Internet protocols are royalty free/not patented.)
Did you sue the company?
The real "Libtards" are the Libertarians!
What "rights" have I given away?
The right to privacy, dumbass.
Only in your paranoid fantasy. The lightbulbs are too cheap to contain an NSA microphone. If the NSA wants to spy on me, they would be WAY better off compromising the Amazon Echo, which already listens in and digitizes everything it hears. The IoT lightbulbs add near zero additional threat surface.
why have you stopped buying general purpose computers?
and anyway. I don't understand what universe anyone could think this "hue debacle" has in anyway been a good thing for the company which would encourage others to do the same.
that kind of reputation damage to even a well established company gets large portions of staff laid off.
to an otherwise unknown company like whoever makes hue the usual outcome is chapter 11 bankruptcy.
The one he made up because he's frightened that kids these days are Facegramming and Instatweeting and he doesn't like it.
when somebody can say to another person that a friend was arrested/jailed for "X while colored" and be mostly telling the truth ( was carrying a naloxone kit and got busted for "drug paraphernalia")
this is a problem.
but to dismiss this as a White People Problem is not considering that when the IoT comes to your local Dollar Tree/Family Dollar its to late to do anything.
I am aware of where IoT appears to be going. I'm stating that IMNSHO, it is entirely not what I'd envision IoT to be, as IoT should help me, not make me and my activities a product.
The cesspool just got a check and balance.
If it was a reasonably spec'd out system, you'd just plug and play. All you'd need is a hub or a service running that would interact. Need a new device, add it to the service or hub. It's a pretty simple system, as long as monetizing your activities and data stays out of it.
I'm currently hacking some hardware for just this purpose, only because one is not offered that can run without a cloud service.
The cesspool just got a check and balance.
know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.
"Over 40" is a protected class. This is no different legally than an interviewer telling you he doesn't hire blacks. If you didn't just make this up, it's worth suing them.
Socialism: a lie told by totalitarians and believed by fools.
Did you sue the company?
On what grounds? There are specific laws that prohibit employment discrimination based on race, religion, gender, and a few other specific criteria. Anything else is legal. A company can refuse to hire anyone without a twitter account, without breaking any law. My company refuses to hire smokers. That is legal. As a class, smokers have no rights.
It wouldn't be worth the time, since I found a far better place to be at anyway, job-wise.
As for FB/whatever, I decided to make an account, and keep them around. I now use Twitter for announcing GitHub releases I make. That way, the account is of actual use.
As for IoT, whining about is not going to do much. However, there are a few ways to actually make IoT truly secure... not secure as in the sense of "locking it down" secure... but secure as in resisting unauthorized intrusions, modifications, deletions... the classic sense.
Three ways to make it work:
1: Get some people who know what they are doing, such as Bruce. Make a UL type independent organization whose job it is to check security of products in both white-box testing and black-box testing. Security such as resisting attacks via the network, ease of resetting the device, should the owner lose the password, how firmware updates are handled [1], how the device reacts to intrusion attempts, internal security like chrooting, signed executables, SELinux, ASLR, and other methods. Have the independent organizations's approval a must for the device to be sold. Of course, this invites regulatory capture, and genuine security can easily be perverted into "keeping the user out" security... but anything in IoT is better than nothing.
2: Move to a different topology for IoT devices than having the devices connecting directly to the Internet via a 3G/4G connection or using a Wi-Fi access point. Instead, the devices should communicate on the LAN basis to a hardened appliance... and that appliance does the sending and receiving for the devices. This way, the "smart toaster" communicating to the hub via BlueTooth will be extremely difficult to hack because it sends the user's toaster preferences up through the BT hub, which then relays it through the Internet. Going with a hub/spoke, with redundant hubs possible, would significantly decrease the attack surface of IoT devices.
3: Use the principle of least privilege. If an Internet connection isn't needed (say for a device to work as a remote), use Bluetooth. If the device has to have an Internet connection for updates, have documentation that describes the sites it connects to [2], and what ports that it should be allowed. Anything else should be blocked. The device should even enforce this in its OS firewall (netfilter for Linux, for example) to protect against unauthorized processes trying to get out. If "smart" functionality isn't needed, don't bother with it.
Take the "smart" refrigerator. If appliance companies wanted to make something expensive, why not a fridge with two cooling mechanisms... the standard compressor that plugs into the wall, and an absorption mechanism which can be powered by electricity, natural gas, or propane. This way, if there is a power blackout, the fridge still retains cooling capacity, and with a thermalelectric generator (think a Peltier running in reverse), would have enough power to keep the core circuit board running. I'm sure there would be more demand for a fridge that keeps the food cold if power goes out, than a fridge which can display ads 24/7 on the screen.
[1]: I believe in the old school idea of a physical button or switch that is used before flashing firmware... but this isn't something that can be done if the device is not physically accessible, so maybe a fallback would be some other mechanism. That way if the RSA key is compromised, the vendor can use a different, but still secure, way to get the updates to devices.
[2]: Ideally, it should just fetch a signed manifest via SSL, and go from there. If the embedded OS is Linux, it could even use an existing package manager like Yum or apt so that wheel doesn't have to be reinvented.
Not $600. $600 in perpetuity or until they decide to up the license fee. Why do you have this slavish devotion to giving up control of access to things you depend on, and for what? Illusory short-term convenience of always having the latest (possibly buggy or purposely castrated) version? It's a sad state of affairs. If illustrator 7 does what is needed, then why not? If it doesn't, then you've got a point, and maybe it's time to upgrade. At least I'd have a choice instead of paying out for endless treadmills whether it's needed or not. As far as piracy goes, this scheme doesn't prevent it at all. It only rips off legit customers.
Actually, I'd welcome a return to win2k GUI widgets. They lag less and miss less input than the latest garbage in use today, but that's an entirely different issue.
It's likely you were once a 'useless hobbyist' yourself.
Better example: in an age where Raspberry Pi's are being celebrated by mass media as the next big thing in education, it seems unlikely that this envisioned total lockdown will happen any time soon. After all, no politician wants the other guy to be able to point at him and say "my opponent opposes giving children a proper STEM education!" So, maybe the big lockout will happen if Microsoft can get its hooks into the embedded/maker world via its godawful Windows 10 IOT core, but not before.
That brings new meaning to "hacking 127.0.0.1" now doesn't it?
"So long and thanks for all the fish."
I have no idea how that got posted as an AC. :/
"So long and thanks for all the fish."
John Deer, most car companies, and other big name product vendors that have gone increasingly "computerized" have taken the view that you have at best a "perpetual license" to the software that runs your machine. The fact is that it works in bigger industries only because of the relative benevolence of the companies involved. However, what are you going to do when your self-driving car is 10 years old and needs updates? You're going to have to buy a new one because they may have switched out all of the underlying hardware, firmware and even the embedded OS by then.
Did you fail to read in the GP post that the interviewer told him that he was too old? "Too old" is one of those "few other specific criteria".
The real "Libtards" are the Libertarians!
IoT will end up in the pile of rejected consumer electronics technologies - like 3D and curved TVs. Companies are desperately looking for the next big thing to foist on consumers.
I've seen IoT devices for the past few years at CES (and I will probably see a ton more next week when I go). The IoT display at the Samsung booth always makes me shake my head. Here is a company that can't manage to keep Android updated on 2 year old mobile devices, but somehow they are going to update my 5 year old refrigerator?.....right.
The biggest problem that IoT has is that mainstream consumers (not you and I on Slashdot) simply view these devices as too complicated and not worth the hassle and expense.
Does your washer and dryer really need Twitter and Facebook? I'll bet most consumers think not.
Make no mistake - some IoT devices will succeed. Most will not.
I am NOT kidding around. I am gods-be-damned SICK AND TIRED of people and their stupid hate in all it's different forms! Look at what it's doing to the entire world!
IT.
HAS.
TO.
ALL.
STOP!!!!!!!!!!!!!!!!!!
I hate you because you're white
I hate you because you're Mexican
I hate you because you're {insert ethnicity here}
I hate you because you're Muslim
I hate you because you're NOT Muslim
I hate you because you're Sunni
I hate you because you're Kurdish
I hate you because you believe differently than I do
I hate you because you believe in a God
I hate you because you DON'T believe in a God
I hate you because you're gay
I hate you because you're straight
I hate you because you're a man
I hate you because you're a woman
I hate you because your politics are different from mine
I hate you because {insert stupid-ass reason here, because they're ALL STUPID ASS REASONS}
!!! IT HAS TO STOP!!! JUST FUCKING STOP!!!
You're a young female and you want to go to school and that offends my God, so I have the right to throw acid in your face
!!! NO MORE !!! JUST STOP IT !!!
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
I've got a couple Network-of-Things lightbulbs, specifically miLights, that allow me to change the brightness and color temperature. They use a sort of hub to connect to the network, which in turn lets Tasker control them. Do I need them? Certainly not. Do they make mornings far more pleasant by slowly ramping the light up in brightness and color temperature? Yes, they do. Are they connected to the internet? Absolutely not. When I set them up, I specifically set my router to not allow any traffic from the hub or to the hub to cross it at any time. Does the bulb work just fine in this configuration? You bet. It doesn't need to connect to the internet to work, so I don't let it. Same thing with my Edimax smart plugs. In the future, however, these kinds of things may not work without an internet connection, despite really only being useful locally. When you go out and buy a new Mr. Coffee, even if you don't want or ever use the smart feature, the only way to get it to brew would be to connect it to the internet. Then when you go to sue them because the security on it is atrocious and your network gets hacked, you're stuck because there's an arbitration clause. This is what they're concerned about, not something superficial like 'my lightbulb won't go anymore'.
So, you can't see the utility in:
A refrigerator that lets you know you need to pick up milk or eggs, and lets you know when the temperature is out of an acceptable range (door was left open by someone, or there is a problem with cooling) so that you can deal with it before it becomes a major issue like defrosting the whole freezer full of food?
A microwave oven that sends a text message that there is a problem, or when it is time to clean/disenfect
A conventional oven that signals when the roast is ready
A dishwasher that lets you know the load is ready to be emptied or that it needs more fluids added (such as the spot free rinse stuff you add in a second reservoir).
A clothes washer and dryer that lets you know when the load is done so you can switch the loads (oh damn...I left the wash in the washer again...I will have to run it a third time...)
Lightbulbs that can tell you the kid left the lights on so you can turn them off remotely.
Or even what you didn't mention, a garage door opener that can detect it was accidentally left open and notify you, or close itself, or be closed remotely.
Another you didn't mention, a front door lock and bell that can be access remotely, so you can see who is at the door when the doorbell is rung, and allow you to let them in when it is the kid who forgot their key.
APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
"Too old" is valid only if you're between 40 and 65 inclusive, IIRC.
However, a lawsuit will only work if you can show a preponderance of evidence in your favor, and "he said-she said" doesn't constitute one.
Anything in writing from the company mentioning "too old" would be good, but very few companies are that stupid nowadays.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes