Bruce Schneier: We Need To Save the Internet From the Internet of Things

Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.

confirms the Matrix

Bruce just confirmed we are in the Matrix.

Re:confirms the Matrix

[ls671]

Elon had already done so...

http://www.telegraph.co.uk/tec...

Re:confirms the Matrix

[LQ]

Elon had already done so...

http://www.telegraph.co.uk/tec...

That article includes the wonderfully tautologous statement that we may live in a computer simulation run by our descendants.

The only way this will get fixed

[Registered+Coward+v2]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business. Otherwise, as TFA points out, they had no reason to bear the costs of fixing the problem since it doesn't impact them. Until there is a significant cost associated with making an insecure device they will remain insecure. That's also one of the problems with the internet, there is no way to block access from insecure devices when they become part of a BotNet. If their was, and manufacturers suddenly got lots of warranty calls when it stopped working they might actual care about security.

Re:The only way this will get fixed

[mlts]

"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.

Re:The only way this will get fixed

[gnick]

is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.

What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.

Re:The only way this will get fixed

[MitchDev]

When they get SUED and pay out the nose is the only time they'll take it seriously

Re:The only way this will get fixed

[DickBreath]

Maybe the cost needs to be a government fine. That way it has a guarantee of financial impact. No uncertainty about whether a lawsuit will be filed, or whether it will be won. And a private party does not have to bear the cost of initiating the lawsuit.

Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.

Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.

It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.

Re:The only way this will get fixed

[rtkluttz]

Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.

Re:The only way this will get fixed

[Grishnakh]

What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security.

Won't work. People used to value UL ratings because they were worried about electrical appliances catching on fire. People don't even care about UL ratings any more because this just doesn't happen, except with things that have lithium batteries.

The fact is, consumers just don't care about security. They don't know anything about it, they don't want to know, they just know the nebulous "hackers" are "out there" and there's nothing they can do about them, so they stick their heads in the sand and hope for the best.

Re:The only way this will get fixed

[Snotnose]

Maybe the white hats can help. Get the malware used in subverting the devices, then modify the payload so it changes the network settings to knock the device off the internet. If the owner is knowledgeable they can fix it, probably do so 3-4 times, then return the unit. Everybody else will just return the unit.

This costs the manufactures big $$$ and removes the threat.

Re:The only way this will get fixed

As long as they're allowed to disclaim liability for obvious problems with their products, there will be no movement on the issue.

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

Re:The only way this will get fixed

[unixisc]

The only way this will get fixed is when internet providers get serious about IPv6 security and migration, since that's what the internet of things hinges on. Essentially, how to set things so that things like camcorders connected to the internet can't be remotely maneuvered except by network nodes authorized to do that. And before anyone says 'NAT', this is not an issue about NAT: it's an issue about not knowing how to set up IPv6 based VPNs, and have everything operate within that

Re:The only way this will get fixed

[Hognoxious]

According to AmiMoJo, it's a form of transportation that is literally a rapist.

Re:The only way this will get fixed

[arth1]

It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.

In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.

So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.

Re: The only way this will get fixed

[Dadoo]

Fines wont work unless they are income based

So fine the people who own the devices. Start with a small fine, like $10, then double it for each repeat offense. Eventually, the word will get out, people will stop buying products from that vendor, and sales will suffer. They won't have any choice but to make their products secure.

Re:The only way this will get fixed

Yes. https://support.apple.com/en-u...

Re: The only way this will get fixed

[bestweasel]

I know this goes against everything you believe but sometimes government has to step in because people and corporations with a vested interest can't always be trusted to do the right thing. That's why you have mandatory requirements for electrical goods and many others, from water to food. Do you think those laws should be repealed? There should be mandated security standards for internet devices, checked by independent researchers and paid for by the manufacturer.

Re: The only way this will get fixed

[spire3661]

Yes, i very much do. For too long we have coddled users, either they step up and learn some of this stuff, or they get left behind and cut off. A firewall configuration is not a high bar to cross in an Information Age.

Re: The only way this will get fixed

[kuhnto]

Agree. Most of us are capable of operating 3000lb machines at 70 mph and we learned that in high school. Configuring a firewall should be the new drivers Ed for our society. I was about to say " No IT license, no Internet" but unlike driving, I think the Internet has become a basic right. So I will step back from that ledge, and say it would be valuable to society there was some training going on somewhere. I just do not know where...

Re: The only way this will get fixed

[bestweasel]

Yes, that's always a danger with regular auditing because the auditors want the repeat business next year. Then the audit becomes routine, everyone complains about how pointless it is and it's treated as a box-ticking exercise. They're mostly right because how often does the shit hit the fan? How likely is it that an auditor will come across an Enron? They missed that of course.

Mostly though, the regulations, inspections and enforcement work. Thousands of Americans aren't electrocuted because of faulty electrical goods. A similar framework for internet security would work just as well, if it weren't for the privacy implications, which means there should also be some oversight of both government and manufacturers, which is why I suggested independent researchers . They needn't be hired directly by the manufacturers (and going along with your concerns, shouldn't be), just paid for by them.

Re:The only way this will get fixed

[overnight_failure]

Actually I think it's time they were made legally responsible for their product's security. Practically speaking they could never know about every single attack vector that could be dreamed up. But using making them (on pain of large, ongoing fines) use decent security protocols and decent, random default passwords would be a start.

Re:The only way this will get fixed

[Pieroxy]

What you say is that some "good conscience" grey hats need to write robots that hack through those devices and brick them ? That could work. But then you need to protect yourself pretty well, cause the day one of those manufacturers get a hold of you you're going to get sued down to oblivion.

Re:The only way this will get fixed

[turbidostato]

"The only way this will get fixed is when internet providers get serious about IPv6 security and migration"

So, the problem is stated as being no motivation for the IoT producer to spend on securing their devices and then your proposed solution is for a third party to do something it is even less motivated to do?

Brilliant.

Re:The only way this will get fixed

[Bert64]

If the manufacturers are not based in europe, nor selling directly in europe then there's not much recourse under european law.
Most of these devices come from china.

Re:The only way this will get fixed

[Bert64]

I agree, i want devices that work in exactly the way you describe... I would put them on their own VLAN, access them via VPN and there would be relatively little risk even if the devices themselves are horrendously insecure.

Unfortunately the vast majority of potential customers are not up to that, most have no idea how to punch holes in their firewall or aren't even able to (carrier NAT for instance) so you have devices that connect out to a server somewhere that the end user has no control over. You end up with automated ways to punch holes through firewalls (UPNP etc) which defeats the whole point.

If devices are directly reachable over the internet they will get mass owned, there won't be many configuration differences because most users never change the defaults. Most if not all of the devices exploited recently were obtained through default passwords and these make up the minority of users who have such devices directly reachable. Many more such devices will live on internal networks waiting to be found.

Re: The only way this will get fixed

[spire3661]

No, I want her to pay a professional to help her with it, just like if she wanted a new electrical socket installed to plug it in, or a needed a water line for the automatic ice maker.

Re: The only way this will get fixed

[TheMeth0D]

The governments idea of security is the TSA. I'd hate to see what the internet equivalent would be.

Re:The only way this will get fixed

[DickBreath]

I didn't say anything about government licensing, registration or inspection. Only about mandatory fines. Inspection could be done privately, similarly to voluntarily getting a UL sticker -- which says a lot about your product.

If you product causes a fire, your company is to blame. It should be similarly for IoT devices used for hacking. If you make a device that is hacked and used to cause damage, your company is to blame just as much as if your device caused the building to burn down. What is so difficult to understand about this? Companies should make unsafe products. If you can't, then get out of the way for the next guy who can.

The government to save us?

[JcMorin]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law? I would not count that for sure.

Re:The government to save us?

The government is complicit not responsible. Chaos is good for them; it creates a demand for control that we refused them over and over again. They either gonna let it rot to replace it or fix it in their own mischievous way.

Re:The government to save us?

Well, the US, or the EU, or another country or bunch of countries with a sufficiently large population. It just takes a big enough segment of the market to demand better security, either through consumer or legislative action, that the loss of sales would outweigh the cost of better development.

Re:The government to save us?

[thegarbz]

It gets even better. He's declaring the free market as incapable to solve a situation that is well and truly in its infancy.

You know parents don't take kindly to people calling their toddlers retarded.

Re:The government to save us?

[rudy_wayne]

So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?

I would not count that for sure.

99% of all those IOT devices are made in China. If the U.S. created tougher regulations regarding security, it seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else. So the rest of the world would end up getting more secure devices also.

Re:The government to save us?

[lgw]

seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else.

They do this with almost everything manufactured in China - including the version with the branding, and the (sometimes local-only) cheap version without logos. Chinese manufacturing companies are really good at manufacturing these days, and can do custom runs easily.

In the case of IoT, there'd certainly be a version with a backdoor for the Chinese government, so we can only hope there would be 2 versions.

Re:The government to save us?

[Bert64]

The law under which they were requesting the takedown didn't apply, but their actions were still illegal in their home country under other existing laws there.

In most countries a DMCA request is meaningless and you have no obligation to comply with it, you are only required to comply with a court order issued by a local court. Especially when you are a hosting provider, as you're not responsible for the content in question anyway - your customer is.

For the things i host (none of which is hosted in the US), i ignore DMCA complaints as the vast majority are just automated anyway. If i get a polite personal request from someone i'l usually look into it and may in turn make a polite request to the user who uploaded the content, but a templated DMCA demand just gets junked.
The users i'm hosting are free to act on or ignore such requests as they see fit, but i won't be deleting their files or handing over their personal details unless a court order compels me to.

Re:B...b...but government always BAD!

right... because the government had nothing to do with the creation of the Internet and has certainly never ran secure nodes with large numbers of devices attached to them...

At the very least...

[lance_of_the_apes]

All IOT products need to be labeled as such. Then I can avoid them...

Re:At the very least...

[Opportunist]

Great. You avoid them. So do I. That's already half the problem done, now let's go and educate the millions of others who will buy those things.

The problem is not you or me. The problem is that "internet connectivity" is another checkbox in the little card that gives people information about the appliance they're looking at at Wal-Mart, Cosco and whatever other chains there are that can't give you any idea about the things they sell 'cause they themselves have no idea about them.

And this TV has 6 checkboxes ticked, and that one over there only 5. What's that extra checkbox? "WiFi". Beats me what this is, but it's one checkbox more, let's buy that one!

Re:At the very least...

[SeaFox]

All IOT products need to be labeled as such. Then I can avoid them...

This isn't hard.

The device I'm about to purchase (check all that apply)
__ has existed for decades, but has a computer built into it now, and did not normally have one prior to the year 2000.
__ can control other simpler items in my house (i.e. lamps, garage doors, entry doors, climate control systems, security systems).
__ connects to my household LAN.
__ can be used from outside my own local area network through a smartphone app or a publicly accessible website that was not written by me.
__ was made by a company that primarily makes PC accessories or peripherals (Belkin, Logitech, etc) or a company that is less than 8 years old.

If you checked two or more lines it's an Internet of Things device.

One solution

[imbusy]

Can we have a botnet that scans the internet for insecure devices and changes their password?

Re:One solution

[b0bby]

It would actually be pretty great if there were a site which would let you scan the ip address you were coming from (so you couldn't use it against others) with a full Metasploit style array of checks. It could be helpful to a lot of home users who have a basic NAT router going on, maybe with some port forwarding so they can get to various devices like DVRs.

Hopefully someone is going to chime in "You mean like..."

Re:The government can fix this?

[Gilgaron]

Not directly, as you point out, but if they passed a law stating that the IoT makers were liable for misuse and made it easy to pin them on these things they'd be sure to secure them.

government interventions

[silas_moeckel]

or just turn of upnp on your firewall?

IoT to the cloud is a problem security wise. The bigger issue IoT devices should not be throw away stuff. That means designing them to function as part of a home for 20+ years, the smarts need to be a IoT controller not some cloud service that might still be around.

Re:government interventions

[Opportunist]

Duuuuuh, upnp... is that the new detergent?

Please realize what dimwits buy those crappy pieces of junk hardware. You honestly expect them to even know what they're doing?

Re:government interventions

[thegarbz]

or just turn of upnp on your firewall?

Break my internet connection because of a misbehaving insecure device that should instead simply be blacklisted? No thanks.

I have better things to do than manually manage port forwarding, and the collective world's shrug of shoulders when it comes to IP address space exhaustion has already broken end-to-end connectivity of the internet enough without disabling about the only part of home infrastructure that still prevents me from getting daily "son the internet isn't working again, can you drop by" calls.

Re:government interventions

[silas_moeckel]

Break what exactly? upnp is not assumed to work it's not some ancient protocol it was a hack to get home users to let devices do whatever they want.

Re:government interventions

[silas_moeckel]

A lot of IoT design is broken. My thermostat's are all part of my home automation. They do not have an IP address nor should they. I have a HA controller that has an IP address. Right now every IoT piles of IoT vendors are trying to make one off we can sell you a service at a few bucks a month. Making devices they should last for decades. The model is broken HA/IoT needs standard controllers not some cloud thing. My old HA control is perfectly capable of also being a wifi ap and firewall and realy most HA functions could easily be done on a modern wifi ap. It's a question of having the right radio's to talk to everything.

Re:The government can fix this?

[hsmith]

What makes anyone think the government would want to do that? They'd much rather it be wide open so they can get into systems. The last thing they want is to push down hardened security.

But!

[fluffernutter]

But markets solve ALL problems!

Re:But!

[Opportunist]

Markets solve all problems for themselves. Not anyone else.

Re:But!

[Bing+Tsher+E]

But markets solve ALL problems!

So your corollary is that juntas solve all problems??

Feedback

[phorm]

If these devices are so trivially insecure and easy to get into, maybe the best way to deal with them currently is to use the same exploits used by blackhats to knock them offline.

Re:Feedback

[Opportunist]

And exactly that is illegal. Sure, a blackhat doesn't care, but a company that could (and, in this lawsuit-happy country, certainly WOULD) be sued does.

In that fucked up system someone who is not only stupid enough to buy such a crappy piece of junk but also stupid enough to not even WANT to know a thing about its function and dangers could actually sue someone trying to fix the problem AND get rewarded. Yes, this system rewards stupidity and punishes anyone trying to save it from the stupid. Wrap your mind around that.

Re:Feedback

[phorm]

Yup. I wasn't suggesting that just anyone should do it, but - assuming that laws might be passed regarding the securing of IOT devices - there could probably also be dispensations made for removing bad devices from the internet.

Re:Feedback

[Opportunist]

Whoa, careful there! Who gets to define what a "bad device" is?

Re:Feedback

[phorm]

Infected devices shown to be participating in a botnet/attack?

Re:Feedback

[phorm]

I should clarify that I've had something similar to this happen to me in the past.
(a long time ago) I had a server which was running a squid proxy. The proxy was fairly open but the firewall rules prevented it from being accessible outside of my LAN unless one SSH'ed in. During an upgrade I broke the firewall rules and accidentally had it open to the world, after which some jerk/jerks hijacked it for nefarious purposes.

Somebody traced it back to my IP, and my ISP verified it was an issue then killed my internet service and left me a voicemail letting me know. Once I fixed the issue double-checked and let me come back online.

I'd imagine a similar situation for infected devices, but perhaps just knocking the offending device offline if possible (ISP could probably do this from the modem/router if it's one they control, or if the device is accessible via a crappy backdoor it could be told to shutdown).

So long as this follows a proper process with records to show why, I'm actually quite cool with it. I realize a lot of people are wary because of the BS "3 strikes" laws, but it should be easier to show that somebody is participating in a botnet than deep-dive their traffic to check they aren't downloading hurtlock.mkv...

Re:Feedback

[Opportunist]

No matter how you word it, you can bet your CPU that the ??AAs will try to make computers running torrent software "bad devices".

Fuck you statists! The Market will solve this...

[NoNonAlphaCharsHere]

Tech-clueless buyers will naturally gravitate to Internet-enabled toasters and refrigerators that cost twice as much money but can't be pwned with minimal effort by fourth-graders; and the problem will solve itself -- right after donkeys fly.

Technically we built it to be the IoT at first

[WillAffleckUW]

Seriously, we built cameras that watched coffee pots, and coke machines, and watched the crystallography doors to see if people went to lunch so we could get console zero and run stuff.

It's just you n00bZ that think it's all you unwashed masses that we built it for.

That said, just because you can do something, doesn't mean you should.

My fridge should stop pinging the toaster, it's just rude.

This is unpossible!

[Opportunist]

The market is the only thing that could save us. Government is bad! BAD, I tell you! Trust the invisible hand to squash those problems! The market will sort it out!

IOiT

[h8sg8s]

No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

government would make it worse

[locopuyo]

There would be a government mandated certification that wouldn't actually ensure things are more secure.
It would be an expensive and slow process so start-ups and small scale companies can't compete with the big corporations.

This is where gov helps

[mx+b]

No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.

I see comments flipping out already about "how can government fix things?". Well, thru stuff like fines. I've heard the FCC is investigating IoT type vendors. If the FCC can fine companies, or even ban them from selling products in the US until they meet a minimum standard, that will have a huge effect on these companies' behavior.

So far, they make cheap crappy things with crappy firmware, and users/customers aren't tech savvy enough to know how to pick a device with better security features. In fact, there's no way for even a professional to tell from the box or specs. So the company has made their money from you before you know its bad. We need regulations and perhaps some gov/non-profit testing labs for these devices. Between regulations/fines, and some rating system to allow users to make best decisions, we can change how the market behaves.

Can't see how...

[DriveDog]

...a national government can fix this, and I believe in appropriate laws and regulations. Unless we wall off the internet into national subnets, and I sure don't want that. I can imagine an international organization in which states become members by agreeing to track and prosecute DDOSers and manufacturers of insecure devices and disallow nonmember states from connecting. Works for a year or two until scope creep turns the organization into a surveillance and enforcement nightmare.

Re:Can't see how...

[Wyzard]

Can't see how a national government can fix this

By making manufacturers liable for damage done by their insecure devices.

Insecure software is an externality: the manufacturer creates the vulnerability, but the customer (or the whole public) bears the cost when it's exploited. Free-market competition is good at optimizing for minimum cost, but by default, externalities aren't included in the cost being optimized. That's why you get cheap, insecure devices.

If manufacturers are held liable for damage done by security flaws in their devices, that cost is no longer external. The manufacturer bears the cost of its own insecurity, and has an incentive to reduce that cost. Security becomes cost-effective, and competition will reward the manufacturers who do it the best.

The government doesn't have to mandate that devices be secure. It doesn't have to verify that devices are secure. It just has to make the manufacturer liable when a device is insecure, and the market can do the rest.

(This will, however, generally raise the price of devices. The cost of security gets transferred more directly to the customer, instead of foisted onto the public.)

Re:Can't see how...

[Wyzard]

It's one thing if you've made a conscientious and competent effort to build a secure product, and you provide security updates for a reasonable support period afterward. The point isn't to punish vendors for not being perfect; responsibility for an attack ultimately lies with the attacker, after all, and the vendor is a victim too.

Something like an open telnet port with a hard-coded password, though, is gross negligence. Heartbleed might not be the device vendor's fault, but not providing a firmware update to fix it, for devices that haven't reached a reasonable end-of-life date, is gross negligence. Continuing to ship something like Debian 3, which reached end-of-life and stopped getting security updates more than a decade ago, is gross negligence.

That's the sort of thing that vendors ought to be held liable for. Gross negligence in the security of your product makes you an (unwitting) contributor to the attack, not an innocent victim.

Getting updates actually installed on devices, after they're released by the vendor, is tricky. It may be a good idea to have the device just update itself automatically, though that opens a different can of worms relating to forced updates and people's control over the devices they own. But if the owner chooses not to install a security update within some reasonable time period after it's released, maybe the owner should be liable for some portion of the damage when the device ends up participating in an attack.

Pass law that allows 3rd party to brick devices

Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.

Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.

Re:Why government intervention all the time?

[psycho12345]

Here's the issue

1) Good luck doing this. It currently is tricky as is.

2) Here's the REALLY fun one. You identify the entity with the device, they live in another country. You now lack any legal power to influence them whatsoever, unless you have the money to file an international complaint/lawsuit, assuming it is even possible.

2a) Assume you suit goes through, it gets promptly ignored. Random hacked Chinese/Russian/Australian/German is not going to care what some person in another country thinks.

Many 'IoT' devices are unnecessary anyway

[Rick+Schumann]

Many of these 'IoT' devices are literally solutions in search of a problem, being pushed by overeager marketers looking for a new way to get your hard-earned dollars. Honestly, ask yourself how many of these things do you really need? Some of the are useful, granted, but most of them are just toys that you can get along just fine without, and remove a layer of complication from your life in the process.

Re:B...b...but government always BAD!

That's a pathetically weak argument there, certainly not strong enough to lord it over your opponent as a "shithead." Moreover, what the fuck is up with your prose?

Assertion: "The government can indeed help with certain problems, but not this one."
Support 1: They, whoever 'they' are, are unable to understand the problem. That's awfully vague and unsubstantiated.
Support 2: 'They lack the ability to create any useful solution." umm, that's just a rewording of your assertion.
Conclusion: "solutions will have to come from another source" more hand-waviness, based on an assertion that you didn't prove.

You're exactly the kind of shithead that attempts to ape rational argumentation based on what you think it sounds like. You have no ability to generate it or express it in legitimate prose.

JUSTICE IS SERVED!

[TiggertheMad]

Modifying software/firmware on computers and devices that you don't own or have been explicitly granted access to is criminal hacking, and a federal felony. Your suggestion might work, but I suspect that the definition of 'white hat' doesn't include incurring hundreds of thousands counts of a felony activity.

Perhaps the word you were looking for is 'Vigilante'?

Re:JUSTICE IS SERVED!

[Bert64]

Not everywhere, simply get someone in a jurisdiction where it's not illegal to deploy such tools and do the whole world a favor.

Re:B...b...but government always BAD!

[lgw]

Someone else suggested a UL-like certification for household IoT. I really like that solution. It's not hard for the average person to understand that this seal means a stranger can't watch you through your webcam, can't unlock your doors, etc. I think people would care, if it were as simple as looking for 1 logo, no geek needed.

not a market failure

[ooloorie]

That's not a "market failure", it's a government failure: the way liability is handled for software and security, companies get away with selling insecure crap without anybody being able to sue them for damages.

The government?

[Watter]

"...it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own."

Are you kidding me? I work for a company that is betting it's future on IoT in the manufacturing and heavy equipment area. I promise you, it's the evil 'ole "market" that is causing us to focus a HUGE portion of our resources on security. How do you figure it isn't in every IoT makers best interest to deliver secure products? They may be failing right now but those that do it right will win in the market. This isn't 2002 when security was an afterthought. Even tech novices are aware of security issues these days and demand it from the companies that supply them.

Show me one time where the government has gotten something like this right! They can't even handle their own security and you want them crafting regulation to manage the security of everyone else? The mind boggles.

but but but

[Some_Llama]

the free market can fix all things, regulation is bad and hampers the self correcting free market.

Re:but but but

[Bing+Tsher+E]

Another content-free garbage comment.

How much bandwidth do these things need?

[wjcofkc]

Surely most IoT devices need very little bandwidth to call home. Let's limit that to the minimum and call it standards based. For example, if an IoT device truly only needs say 5k of bandwidth here and there, then limit it to that. Better yet, work to limit the bandwidth all IoT devices need. Real security is even better, but we all know that takes a back seat.

Re:How much bandwidth do these things need?

[I4ko]

Hard with cameras. They really need to be able to upload to the offsite FTP server as fast as possible

Open Source to the Rescue

[redcliffe]

I feel like in a way we need more open source firmware options. Sure most of these run Linux, but it's the configuration and front end custom software that's the problem. If there were a good standard open source distribution for different devices that was secure by default maybe this would be better.

IoT clusterfuck

[Chas]

On its surface, the IoT sounds like a neat idea.

Unfortunately, in implementation, it's a raging clusterfuck.

Basically, just because you can connect ANYTHING to a network doesn't mean you SHOULD.

Why support the unbacked claim on this?

[MyFirstNameIsPaul]

The government proposes to add a backdoor to all encryption systems, and Schneier, an encryption expert, immediately goes to bat, contributing to and promoting large amounts of nuanced study on the matter to explain why such a proposal will fail. Then, on this networking issue, Schneier provides a completely unbacked claim that the Government is somehow going to magically fix something. I guess because Schneier is a "good guy" I should just assume that his completely unsubstantiated, critical-thinking-free solution is the one that we should support.

There is nothing the U.S. Government can do about hacked IoT devices in other countries. How about that one, Schneier? Are you even going to admit to the fundamental core of the World Wide Web is a substantial part of the problem, and cannot be addressed by U.S. government legislation?

Schneier's claim is barely three weeks from the date of the event, and Schneier is boldly proclaiming the market has failed. Puh-lease. There are very few, if any, events of this magnitude that any "solution", private or public, can take care of, or even propose to take care of, in such a short time.

Brian Krebs has clearly been the victim of some malicious actor, and as such must have methods for being made whole. These options do not even seem to merit any evaluation by Schneier.

Straightfoward solution

[sigmabody]

As with other instances where the ROI for implementing good computer security is not there, with potentially disastrous societal consequences...

Make manufacturers liable for damages if their devices are compromised for malicious purposes (DDOS, PII extraction, etc.). Make anyone collecting PII or selling a network-connected device have insurance to cover liability for losses due to security. Bam, problem solved: the insurance market will create the implied ROI (vis-a-vis reduced insurance costs), and businesses will either modify their products or behavior accordingly. The solution also side-steps most of the traditional and vexing issues with government oversight (eg: since there's no government-specified "security standard" or anything, there's no potential to make a gigantic mess of that).

It seems so obvious, but I suppose that's why it's seemingly entirely inscrutable to the people in government...

Bruce Schneier: I'm old and scared

[swalve]

If he is so smart, why is he writing letters to the editor instead of working toward a solution?

Re:Bruce Schneier: I'm old and scared

[Bing+Tsher+E]

Bruce Schneier is a journalist/popular-writer. He wrote a precedent-breaking book on Cryptography. He didn't write it because he was a cryptographer, he wrote it because he dared to do so when a lot of other people were afraid to do so. Out of this, he established a punditry that allows him to pretend to be a 'smart cryptography expert.' Sometimes he's even billed as a 'security expert.' But really he's a popular writer who writes for nerds. Not an expert who could contribute a solution.

Re:Where's the Krebs DDOS analysis?

[I4ko]

OVH said it

Re:B...b...but government always BAD!

[Bing+Tsher+E]

And notably, the UL is a non-governmental organization.

underlying insecurity

[bigtreeman]

The internet will never be secure while it is based on insecure hardware and protocols.

Re: B...b...but government always BAD!

[kuhnto]

While I agree with your sarcasm, I will say that there are a LOT of people actively involved in keeping those systems secure non-stop.