Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com)

Posted by EditorDavid on from the Congress-vs-connected-devices dept.

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

85 comments

  1. Yep, that's the entire point by Anonymous Coward · · Score: 1

    Once again, everyone's threats, concerns, and "dire warnings" mean absolutely zero. It will happen and there is nothing anyone can do about it.

    1. Re:Yep, that's the entire point by coastwalker · · Score: 0

      Yup, which is why there are no IOT products in my home. No smart meters, no nest thermostats, just ethernet cable and firewalls. So the rest of you can frig off in a handcart to hell and if I am not run over by a self driving bus you morons can debug the stuff for me. Bye!

      --
      Facts are history now plebs have politics for religion on social media.
    2. Re:Yep, that's the entire point by Ol+Olsoc · · Score: 1

      Grandpa - you finally got email!

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Yep, that's the entire point by coastwalker · · Score: 1

      I had email in 1986 punk :-)

      --
      Facts are history now plebs have politics for religion on social media.
  2. Bruce Schneier ... by Anonymous Coward · · Score: 1, Insightful

    ... is an idiot in this instance when it comes to calling for legislation for IoT. The whole problem is humanity did not evolve to make rational decisions in a high tech free market society, no amount of legislation is going to overcome human's old meaty brain. Just like banks got bailouts because they own the government, any legislative body in america will quickly succumb to regulatory capture making the whole thing worthless. Not only that the internet is planet wide, you need co-operation with foreign governments and human beings have problems enough dealing with global warming. The whole regulatory system in america is a clusterfuck especially with trump, is he really expecting trump and his administration to make sound policy? I wouldn't trust trump with my toaster.

    Let's just admit, humanity generally at this point in history has accelerated its development before its old monkey brain is able to catch up. Human beings are not evolving as fast as they are developing technology which is the fundamental issue. Human's lack of intelligence, maturity and foresight can't be overcome by adding more burdensome rules especially given the political "don't tread on me" culture of the american people.

    1. Re: Bruce Schneier ... by bradley13 · · Score: 2

      Yep. He needs to remember the old adage: be careful what you wish for; you might get it. He says see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation.

      Stupid is what he's going to get.

      --
      Enjoy life! This is not a dress rehearsal.
    2. Re:Bruce Schneier ... by CyclistOne · · Score: 4, Informative

      I don't think Bruce Schneier is an idiot, but otherwise, I tend to agree with this. Read Jacques Ellul ("The Technological Society", "The Technological System") to better understand this.

    3. Re: Bruce Schneier ... by gtall · · Score: 2

      Car and truck regulations, plane regulations, food and drug regulations, OHSA regulations, financial regulations, etc.

      Without them, you'd be dead.

    4. Re:Bruce Schneier ... by Anonymous Coward · · Score: 1

      It's not Scheier's (or Hawking's, Musks', Gates', Berners-Lee's etc) job to figure out how to convince Trump and other government leaders to act responsibly. These people aren't politicians, although you could argue that Musk and Gates have developed some political skills.

      Nobody can see the future with clarity, but these gentlemen clearly deserve to be heard, based on their track record, exposure to cutting edge research and researchers and innovating scientists and engineers. Maybe they're way off; but maybe they're onto something important.

    5. Re: Bruce Schneier ... by Anonymous Coward · · Score: 0

      Nope.

      You probably would be since you're a fuckin idiot. We'd be better off for it too.

    6. Re:Bruce Schneier ... by Cmdln+Daco · · Score: 1

      Bruce Schneier is a 'cryptography journalist.' He has no credentials beyond writing a controversial book over a decade ago about Cryptography and leveraging it into a career as a 'cryptography expert.' He is not a cryptographer, and thus not a 'peer' in the peer review process.

      Well, maybe he's an 'expert' in journalistic/writer terms. Just like a blogger about Geology is a blogger about Geology.

    7. Re:Bruce Schneier ... by Anonymous Coward · · Score: 0

      I read it.Citing him here is ironic, as he considered clocks dehumanizing.

    8. Re: Bruce Schneier ... by Anonymous Coward · · Score: 1

      He invented the Blowfish cipher. How is he not a cryptographer?

    9. Re:Bruce Schneier ... by Anonymous Coward · · Score: 0

      See the RSA presentation. He is presenting the case that the legislation or regulation will be inevitable. Its shape and reach is another matter, and hopefully for the well-informed to influence on.

    10. Re:Bruce Schneier ... by Elric55 · · Score: 1

      I read your entire post AC. I'm still waiting for your solution to this problem. Is it to let it all crash and burn? Seems better than a suggestion by Bruce Schneier.

  3. Economics by Anonymous Coward · · Score: 3, Insightful

    >But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning.

    I highly doubt regulation will cause many iot companies to take security seriously, unless it has some teeth. And then regulation becomes a barrier to entry for smaller companies, so there would be fewer IoT sellers, and maybe that's a good thing according to Schneier.

    1. Re:Economics by mentil · · Score: 2

      In practice we're going to get 'best-practices' checklists that they check off (self-certified), which are so overspecific (and quickly out of date) that huge classes of vulnerabilities will be completely unaddressed, and others will be 'addressed' inadequately. What we NEED is a provision that if anyone manages to find a vulnerability that grants unauthorized entry, all units must be recalled and installed units shall be refunded (oh and the consumer gets to keep the installed unit). That'll guarantee a bare-minimum of hackable features, and thorough testing of everything put in, rather than "Bluetooth and a full wifi stack on my front door lock" BS.

      The way I see things eventually going is there being a central 'house computer' that controls all of the IoT devices in the home, utilizing some industry-standard protocol for interacting with the IoT devices so that the computer's OS doesn't matter (networkable lightbulbs have had this for decades). There's one central point of failure, but also only one device that needs security updates, and these things will be sold on their quality/length of updates.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
  4. Professionalize computer science by VikingNation · · Score: 5, Insightful

    Many engineers who design bridges, roads, buildings, power systems, etc. are required to get a proefessional engineering certificate. There is no equivalent for computer scientist in the United States. Until there is liability for poor designs and implementation there will be changes to improve quality and security.

    1. Re:Professionalize computer science by El_Muerte_TDS · · Score: 1

      those engineering activities are/will be moved to India. You need to hold upper management accountable.

    2. Re:Professionalize computer science by Anonymous Coward · · Score: 0

      And what proportion of that upper management is also located in someplace where US laws don't apply? It strikes me as very likely that the only presence that a lot of these companies would have only a detachable marketing/sales presence here in the form of a subsidiary? Do you expect that local sellers and distributors ever do anything other than simple pass-through of products (in one direction) and money (in the other direction)?

    3. Re:Professionalize computer science by Sperbels · · Score: 1, Funny

      Does that mean we can hold Dennis Ritchie responsible for all of the buffer overflow related crashes and security exploits?

    4. Re:Professionalize computer science by fisted · · Score: 4, Funny

      No, but maybe John von Neumann.

      --
      CLI paste? paste.pr0.tips!
    5. Re:Professionalize computer science by gtall · · Score: 2

      The scale of new bridges, road, buildings, power systems, etc. are dwarfed by computer science applications (those that do not involve new bridges, etc.) To expect the same level of standards is silly. That said, I wouldn't mind better legal ramifications for building something flawed.

    6. Re:Professionalize computer science by bill_mcgonigle · · Score: 2, Insightful

      Until there is liability for poor designs and implementation there will be changes to improve quality and security.

      Show me the equations that show if a bridge will hold up. Fine, those are well-known.

      Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm, so that a Computer Science "Engineer" can place his professional stamp on one. And remember, nobody will buy Windows that takes thirty years to get out the door at six-thousand bucks a copy.

      Really, though, do you even CS, bro? Besides the software-provability problem, a bridge engineer is not responsible for any shoddy work that is hidden from him by a lackluster construction crew (and no, inspections are not fool-proof if there is professional malpractice occurring).

      You can't simply make a comparison between a static and a dynamic system and declare equivalene. That's as silly as Schnier thinking that regulators will save us from ourselves. He should look into real insurance, strict liability, and/or marketable torts if he wants a system that can actually provide better results.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:Professionalize computer science by Anonymous Coward · · Score: 0

      There is no IoT .
      A separate "net" should be required for devices, a real IoT. Non-upgradeable net-connected devices is a bad idea. Have we not seen enough of this already?
      Professional liability is pretty much a non-starter in this field as the Internet is ever changing, no much strict laws of physics here. Had it been possible it would already have happened.

    8. Re:Professionalize computer science by Anonymous Coward · · Score: 0

      design bridges, roads, buildings, power systems, etc.

      All those things will get IoT components designed and retrofitted into them eventually. When an add-on or singular component can influence the safety and security of the whole system (as it is today), the regulation related to that component is an eventuality. The question is if the industry can create the regulation themselves in due time or is the government regulation needed. The way things have gone during the last 30 years, I'm betting against the industry.

    9. Re:Professionalize computer science by drinkypoo · · Score: 3

      Show me the equations that show if a bridge will hold up. Fine, those are well-known.
      Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm,

      There is a reasonable interim step where the programmer proves that they utilized best practices. In some fields there are actually published standards, like say for people making PCMs for automobiles. Toyota got nailed on the unintended acceleration issue largely because they made no attempt to follow industry best practices or even their own internal practices, and their code had numerous bugs which should have been considered show-stoppers as a result. The code was so bad that it would regularly crash and fall back into an internal failsafe mode, and if they had followed best practices, it would have at minimum recovered itself to a sane state, which was not what happened.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    10. Re:Professionalize computer science by JaredOfEuropa · · Score: 2

      This. Also see my sig.

      With that said, not having a way to guarantee that your software is secure is no excuse for not exercising established security practices. They may not provide a 100% guarantee but it's better than nothing. A lot of the hacks of IoT equipment that we've been hearing so much about were possible because of inexcusable negligence on the part of the manufacturer.

      --
      If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
    11. Re:Professionalize computer science by Ol+Olsoc · · Score: 1

      There is no IoT .

      There is only Zuul.

      A separate "net" should be required for devices, a real IoT. Non-upgradeable net-connected devices is a bad idea. Have we not seen enough of this already?

      That still doesn't protect the IoT from being taken down by it's own.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    12. Re:Professionalize computer science by luis_a_espinal · · Score: 1

      those engineering activities are/will be moved to India. You need to hold upper management accountable.

      People keep repeating this shit over and over. Some of it goes offshore. Some does not. And new stuff certainly doesn't, at least not until it gets mainstream.

      It will change once China and India become more entrepreneurial and innovative (it's not a matter of IF but WHEN). But for the time being, and for a good while, roll with the punches and stay ahead of the curve. If you do the same job after 5-10 years, expect your work to go to wherever.

  5. Do I have to register my arduino? by thinkwaitfast · · Score: 1

    That would be swell.

    1. Re:Do I have to register my arduino? by Anonymous Coward · · Score: 0

      Only if you connect it to both an actuator and a public facing ip address. Register so we have a list of idiots. Captcha: "isolated"

    2. Re:Do I have to register my arduino? by thinkwaitfast · · Score: 1

      Of course I have servos connected to the arduino (and also to my rpi through an ssc-32). I also have random sensors, depending on what I'm playing with at the time. My ip is public enough to have been crawled by google.

      I figure they make it a requirement to be a registered device to connect to the internet and hack some IP payload space to hold the registration number (I've done this before and is very easy).

    3. Re:Do I have to register my arduino? by Anonymous Coward · · Score: 0

      Citizens found to have conducted linkage without the appropriate permit and licensing will be subject to no less than a $2000 US fee per each executable or library file, and possible imprisonment.

      Your sketches qualify.

  6. Together, allegiance or death by rsilvergun · · Score: 1

    Big Fire! Of course, nobody knows this but the Internet is Nuclear Powered....

    --
    Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
  7. Easy fix by Rosco+P.+Coltrane · · Score: 3, Insightful

    Don't buy IoT devices. Problem solved.

    Everybody knows they offer marginally beneficial services to the user, and massive surveillance and privacy invasion opportunities for big data, unconstitutional government agencies and other sumbitches.

    --
    "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    1. Re:Easy fix by Anonymous Coward · · Score: 4, Insightful

      I don't think that 'everybody' knows this. Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.

    2. Re: Easy fix by Anonymous Coward · · Score: 5, Insightful

      That can be done now. Give it a few years, you won't be able to buy anything that is not made to be connected. Peer pressure, obsolescence and convenient buyback programs will take care of the reticent. It's a done deal.

    3. Re: Easy fix by TWX · · Score: 5, Interesting

      Half of the water heaters at Home Depot have electronic control panels, and a good chunk of those have WiFi capability.

      Do you trust Rheem or AO Smith to have enough IT security people available to know how to set the default state of these controls so that they're not exploitable?

      --
      Do not look into laser with remaining eye.
    4. Re: Easy fix by Rosco+P.+Coltrane · · Score: 4, Informative

      The thing is, as long as people pay for their own internet themselves, they're in complete control of what gets to connect to their wifi. So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless. And should they ever come with their own connectivity solution that bypasses the users' router completely, well... it's always possible to encase it in a Faraday cage of some sort.

      As for trusting manufacturer with IT security, that's not the only problem: even if they're serious about it and actually qualified to secure your device properly, personally I'm more concerned about what they do with my data - how they snoop on my habits, how they intend to misuse that data, or whom they intend to sell it to.

      If there's a buck to be made, company won't even consider moral or ethical use of the data they collect. That's the only thing you can bet on with big data.

      --
      "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
    5. Re:Easy fix by mea2214 · · Score: 1

      Don't buy IoT devices. Problem solved.

      Stick your IoT devices behind a firewall and heavily restrict or even deny Internet access but allow LAN access. Problem solved.

      You want to consult what's inside your wifi enabled refrigerator while bored at a movie? You can't. Deal with it.

    6. Re: Easy fix by Hognoxious · · Score: 1

      So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless.

      I wouldn't touch any IoT thing that could get hot or explode with a borrowed bargepole, but my understanding is that a lot of them can only be operated via the manufacturers' sites.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    7. Re: Easy fix by Anonymous Coward · · Score: 0

      There's a fatal flaw in your otherwise solid logic ... what if the devices *require* an internet connection to function, like many modern games ? ...

    8. Re:Easy fix by gtall · · Score: 1

      Unless you are in your dotage and your health monitor phoning home regularly is your lifeline to continued existence.

    9. Re: Easy fix by Anonymous Coward · · Score: 0

      What you will end up with is devices with no control panels, which are only manageable through the manufacturer's website / app. It'll have one button for WPS or similar, and that's it. You'll have to connect it to make it work, and if you turn off it's connectivity the device just won't work, or you won't be able to configure it. You will have zero control over what it send to the manufacturer over an encrypted link, nor how much bandwidth it uses that you have to pay for. Welcome to the Internet of Things.

    10. Re:Easy fix by ChatHuant · · Score: 1

      Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.

      Heck, even on Slashdot, where you'd expect people to be better informed and more concerned about privacy, lots of posters still have gmail addresses, Android phones (with location services enabled, no less) and use Google search and docs.

    11. Re: Easy fix by mentil · · Score: 2

      Unfortunately my water heater uses my house's pipes as an antenna. I tried putting up Faraday cage wallpaper (even on the ceiling!), but am unsure what to do about the windows. Oh well, no windows means more privacy, right? Now I'm just worried that I didn't layer enough aluminum foil on the basement floor to stop the mole-drones from snooping on me. Stop trying to hack into my precious, life-giving water! I paid for that, mole-drones, not you! Well, my mom did, but still.

      --
      Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    12. Re: Easy fix by Anonymous Coward · · Score: 0

      That can be done now. Give it a few years, you won't be able to buy anything that is not made to be connected. Peer pressure, obsolescence and convenient buyback programs will take care of the reticent. It's a done deal.

      Well then, I look forward to building my own IoT-less refrigerator, with analog controls.

    13. Re:Easy fix by Anonymous Coward · · Score: 0

      Not an easy fix.

      CCTV Cameras are IoT devices.
      Door Access Controls are IoT devices.
      Heating Ventilation and Air Conditioning are IoT devices.
      Fire Alarm Panel Remote Monitoring are IoT devices.
      Security Panels are IoT devices.
      Wireless Access Points are IoT devices.
      Serial to IP converters are IoT devices.
      Lighting Controls are IoT devices.
      Thermostats are IoT devices.
      Digital Signage is IoT devices.
      The dishwasher in the food court is an IoT device.
      The people counters that tell you how many people go in and out are IoT devices.
      The gates that let you into the train station are IoT devices.
      The "Public Art" in the plaza is often an IoT device.
      The VoIP phones in the elevator you ride in are IoT devices.

      All the things that make a modern office building work are IoT devices.

      You might not put any in your house, but they are on the trucks beside you on the highway, the train or bus you go to work on, and they are everywhere in the building where you work.

      The traffic lights that guide you to work, if you don't take the train or the bus, are also IoT devices.

    14. Re:Easy fix by Ol+Olsoc · · Score: 1

      Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.

      Heck, even on Slashdot, where you'd expect people to be better informed and more concerned about privacy, lots of posters still have gmail addresses, Android phones (with location services enabled, no less) and use Google search and docs.

      Because IoT botnets != a gmail account or even an Android phone. IoT can be a privacy issue if you don't want the three letter people knowing the temperature in your basement. If you are actually concerned about privacy of the sort of things you do on the internetz, you wouldn't be on the internetz. Peace out.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    15. Re: Easy fix by Ol+Olsoc · · Score: 1

      Unfortunately my water heater uses my house's pipes as an antenna. I tried putting up Faraday cage wallpaper (even on the ceiling!), but am unsure what to do about the windows.

      Aluminum screens, compatriot! As long as the mesh is small enough, you can block the insidious radio frequencies of those who would steal your vital bodily fluids.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    16. Re: Easy fix by TWX · · Score: 1

      Did you try using PVC on the cold side and CPVC on the hot side to act as short couplers to isolate the water heater from the copper plumbing?

      Also don't forget to put a PVC fitting on the emergency valve.

      --
      Do not look into laser with remaining eye.
    17. Re: Easy fix by TWX · · Score: 1

      Meraki water heaters from Cisco!

      --
      Do not look into laser with remaining eye.
    18. Re: Easy fix by Anonymous Coward · · Score: 0

      > they're in complete control of what gets to connect to their wifi

      Unless one neighbor has an open access point

  8. Dial "F" for Frankenstein by mykepredko · · Score: 1

    TFA immediately made me think of the Arthur C Clarke story in which the "first cries" of the unintentionally created artificial intelligence that arose from the hook up of a world-wide telephone exchange was that every phone around the world rang at the same time.

    What will it be for us? All the refrigerator doors on the planet opening at the same time?

    --
    Mimetics Inc. Twitter
    1. Re:Dial "F" for Frankenstein by TWX · · Score: 2

      Security cameras simultaneously turn off. The UK is particularly affected.

      --
      Do not look into laser with remaining eye.
  9. Thomas Hobbes' Leviathan by hackwrench · · Score: 1

    https://www.bing.com/search?q=...

  10. Two Faces of Tomorrow by kmahan · · Score: 1

    James Hogan imagined the next step of the world wide network in "The Two Faces of Tomorrow". Including how it could affect the outside world -- the mass driver was great.

    --
    Invalid Checksum. Retrying.
  11. Standardize. Regulate. Audit. Report. And KILL by Anonymous Coward · · Score: 0

    There is no accountability because the FCC sits on its hands when it isn't shoving them up the money-filled holes of telecom companies. REGULATE REASONABLY OR GTFO.

  12. I see it as a choice ... by grep+-v+'.*'+* · · Score: 1

    I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation.

    SPOILER: stupid government regulation wins. There's no money to be made in "smart." If it just works, everybody forgets. if it's always breaking, the recriminations and money trail goes on for years and years.

    (GOD I'm getting cynical in my old age.)

    --
    If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    1. Re:I see it as a choice ... by Anonymous Coward · · Score: 0

      Don't worry. The market will fix itself.

  13. Stretching hard for another robot thead by Anonymous Coward · · Score: 0

    What's with the /. editors' obsession with robots?

    1. Re:Stretching hard for another robot thead by thinkwaitfast · · Score: 1

      It's mating season

  14. It is not one giant robot! by Entrope · · Score: 4, Insightful

    Schneier gives kind of a "shouting at clouds" vibe. The Internet is not like a truck you load things into or off of, it's not a series of tubes, it's not one giant robot that will turn into Skynet once it achieves sentience.

    Internet Green is people! Wait, still the wrong movie, but closer.

    The Internet is made up of billions of devices, each with different capabilities, each with their own purpose and "goals", influenced by others in its social network. Some of these influencers are nearby, some are far away; some are humans, some are machines. Some of these machines are robust against malicious interference, but most have weak points.

    The Internet does not look or act like a single robot. It looks and acts like a network or society, not a monolithic entity, and talking about it as a monolithic thing encourages unwise reactions.

    1. Re:It is not one giant robot! by matbury6017 · · Score: 2

      The Internet does not look or act like a single robot.

      Ever heard of the Mirai botnet? Seems to act pretty much like a single robot and it's pretty effective at taking stuff down. And according to Schneier, we ain't seen nothin' yet.

    2. Re: It is not one giant robot! by Entrope · · Score: 2

      What fraction of a percent of the Internet did that consist of?

      The diversity of IoT devices means that you'll need different attack vectors and payloads to compromise then and then exploit that access. We must not be complacent, but pretending there will soon be a Skynet is unwarranted and counterproductive.

    3. Re: It is not one giant robot! by Anonymous Coward · · Score: 0

      diversity? they all have the same interface

  15. Oh my gob by Anonymous Coward · · Score: 0

    Seriously. How else to explain the following paragraph?

    Our computers and smartphones are as secure as they are because companies like Microsoft, Apple, and Google spend a lot of time testing their code before it’s released, and quickly patch vulnerabilities when they’re discovered.

    Smacked me gob, I did, after reading that.

  16. More proof Schneier has been turned. by Anonymous Coward · · Score: 1

    Just in case anyone was suspicious after he came on the Tor Project board after the big executive shakeup there.

    The call for more regulation won't help with security problems, it will exclude even more people with the knowledge but not the degrees, and it doesn't solve the fundamental issues, most of which are based in design errors or assumptions in the hardware or software which should be fixed and formally proven, as was done in the secure L4 kernel concept. Short of that software will still be at the mercy of defects cause by both the hardware and the programmer to ensure security is as close to 'airtight' as is mathematically possible.

    Having said that, the things needed to ensure it at this point are: Open documentation of the device cores, or original vhdl/verilog with manufacturing process errata. Compilers which thoroughly vet code for unusual accesses and document when such a series of accesses create a violation. Since most of these accesses are either races or boundary violations it shouldn't take *THAT* much time to test an entire codebase for them, both in source code, and final binary code checked against the oiiginal source code.

    Additionally, we need to stop allowing compilers to become a moving target. Just following gcc and clang for the past 10-20 years will show that lots of cornercases develop from allowing 'future standard features' in 'official release compilers' as does mixing standards in a codebase. Pedantic standard rules and strict (and DOCUMENTED!) ABI compliance would help reduce many violations, even when interfacing new object code with legacy API/ABI code, where sufficient metadata documentation exists. Neither GCC nor CLANG and their related linker tools do this. This is also part of why there are so many MSVC runtime sets needed for some applications, but at least in that case they no longer clobber each other.

    As a separate aside: If suddenly all this stuff DOES start getting secured, won't that simply result in more hardware level exploits enacted by agents of the international intelligence community to circumvent software-level restrictions? Most of the current security issues are as much due to a lack of 'firewall boundaries' for devices as they are the insecurity of the devices themselves. None of these devices should be connected to the internet directly. If you need access to them while away from home, it should be via a secure VPN to your private network which should not be routable from the internet other than VPN, properly configured outgoing subnet, or SOCKS/HTTP proxy. Direct network access was fine back in the old days of the internet where the network was heavily heterogenous. But nowadays the internet has homologized around Cisco, Juniper, Huawei, ZTE (for high end routing, plus probably a few others.), and x86/x86_64, ARM, MIPS for almost everything else consumer-level. The people making these attacks usually target one or the other of those groups, and both of those groups are easy to exploit due to the popularity of only one or two operating systems and software ecosystems (Windows, Linux, *BSD/Unix, or Cisco IOS or its successors.) When you factor those altogether the reason for the internets sickness is much easier to discover: It is almost a monoculture of systems. And if there is one thing people should have learned from Biology, monocultures only require one major event to kill them off.

    Food for thought.

  17. IOT's Creators Are Clueless - Totally Clueless by dryriver · · Score: 5, Insightful

    I had a 2 hour conversation last year with an IOT devices engineer who works for a multi-billion dollar Japanese Corporation. They guy didn't think Privacy was important or at risk at all through IOT devices. "Every home will have many of them soon" he said. He thought that realtime 3D face recognition - CCTV networks being able to identify you ANYWHERE IN PUBLIC with great accuracy even if you are not facing the camera, have grown a beard or are wearing a baseball cap - was a great step forward in human technological development. They guy kept talking about "new markets, new profits, a great future for our company". He literally DID NOT CARE what these technologies mean for people's Privacy. Every time I voiced even mild concerns about what these surveillance capable technologies might do to people's privacy, he acted terribly *shocked*. Apparently the corporation he works sees great profits in building IOT, face recog tech & other surveillance capable tech, and my bringing up concerns about them was something he was - wait for it - "uncomfortable with". =) This is what IOT is - faceless, nameless engineers crapping all over other people's lives because the companies that employ them expect a new XX Billion Dollar a year market from them.

    --
    Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
    1. Re:IOT's Creators Are Clueless - Totally Clueless by rtb61 · · Score: 1

      I'll bet the idiots at the top of the engineers company are thinking corporations as government and how great that will be, for them (psychopaths creating a world where their insanity is the norm).

      --
      Chaos - everything, everywhere, everywhen
    2. Re:IOT's Creators Are Clueless - Totally Clueless by Nethead · · Score: 2

      I hope that after your conversation you removed said engineer from the gene pool.

      --
      -- I have a private email server in my basement.
    3. Re:IOT's Creators Are Clueless - Totally Clueless by Anonymous Coward · · Score: 1

      "It is difficult to get a man to understand something when his salary depends on his not understanding it" - Upton Sinclair circa 1935

    4. Re:IOT's Creators Are Clueless - Totally Clueless by Anonymous Coward · · Score: 1

      I had a 2 hour conversation last year with an IOT devices engineer who works for a multi-billion dollar Japanese Corporation. They guy didn't think Privacy was important or at risk at all through IOT devices. "Every home will have many of them soon" he said. He thought that realtime 3D face recognition - CCTV networks being able to identify you ANYWHERE IN PUBLIC with great accuracy even if you are not facing the camera, have grown a beard or are wearing a baseball cap - was a great step forward in human technological development.

      It was you who were unable to understand another culture, much the same way that engineer is unable to understand what you are worrying about.

      (Disclaimer: I am not Japanese, but I am living in East Asia and have quite a bit of contact with Japan culture)

      Firstly, Japanese mostly believed their government to be mainly benevolent, i.e. their country was not built upon overthrowing/separating from a larger empire. It might be somewhat corrupt (as money-grabbing), but that is very far from having any intend to harm the people in general. Secondly, Japanese regards their police as benevolent. Police abusing their power is NOT a thing in Japan. Most Japanese would happy cooperate with Japanese police, who would only ask for reasonable cooperation. Crime rate in Japan is extremely low.

      The concept of being afraid/against the government and the police force is somewhat unique in the US (only somewhat, as there are abusive police forces elsewhere), that does not apply to Japan.

      That's why to most Japanese, having CCTV networks everywhere being about to identify anyone, is a GOOD thing. They would believe it would help their police catch criminals.

      You should express your concern as "If not properly secured, criminals could take the control of all these cameras out from the hands of the proper authorities!". That would get through to him more easily.

  18. I for one welcome our new ... by Anonymous Coward · · Score: 0

    ...

    nevermind, too easy.

  19. Uphill Battle by Anonymous Coward · · Score: 0

    He's going to be fought tooth and nail on this one.

    The worst flaws in the IoT are actually its biggest selling points as far as any three-letter agency, sales-rep or advertiser is concerned. They want the item to be capable of killing you like in bad 90s "hacking" movies. They *want* the item to be easily bricked by someone else in ways that can be blamed on the user's own lack of security - no matter how much effort one put into securing said devices within the confines of laws like the DMCA. They *WANT* it mouthing off vital information it doesn't need and shouldn't even gather to anything and anyone who asks - or at least who pays them for this kind of metric in great bulk.

    The Internet of Things doesn't have to be the brain-frying Matrix of sinister paydata and fatal remote sabotage. But those pushing for it the hardest are doing their damnedest to make sure that it can become just that.

  20. Person of Interest by Anonymous Coward · · Score: 0

    He's either watched the TV show Person of Interest, or he needs to, because he's just describing the overall plot of the show!

  21. IoT: The only way to win is not to play by Anonymous Coward · · Score: 0

    The only utility of ID-oT is p0wn1ng users. Buy our shit once then we stalk U forever. This is why the marketers keep cheerleading IoT.

    Caring about security requires tech companies to care about the user. They only care about advertising and big data cyber stalking. Users are merely "dumb fucks".

    If you think any legislative solution won't be perverted by mega corps to fuck people over even more your a delusional tool.

    1. Re:IoT: The only way to win is not to play by geekmux · · Score: 2

      ...If you think any legislative solution won't be perverted by mega corps to fuck people over even more your a delusional tool.

      Even more delusional is you thinking you still have a chance at winning.

      When 99% of the population is being tracked and you choose "not to play", you will be playing by default as the anomaly. You will be easily tracked because you will stick out and it will be rather obvious.

      Many people have already accepted this fact, which is why attempting to regulate some constraint around it is the next logical step. If you must live with a monster, then you'll at least try and put it on a leash.

  22. The Internet Is Becoming One Giant Robot by Sla$hPot · · Score: 0

    And a robot should pay tax! So, the question is, how do we go about this one?

  23. Bruce tries - but could be better... by Anonymous Coward · · Score: 0

    Bruce tries, but in the wrong way.

    My answer follows:

    A government agency is NOT the answer. The government isn't even publishing the exploits it discovers or buys - it even lets criminals get away above revealing critical vulnerabilities who affect us all.

    The most OFFENSIVE abusers of security holes are script kiddies and government actors. Currently.

    In the future, we have to add the threat of Artificial Intelligence. The potential for a 'gone loose' AI taking control of our earth-scale computer robot is relatively large. Read more from the most intelligent human on the planet about that: Elon Musk. Nothing will be able to stop that unless we fix our lack of a better human-computer interface.

    But in the mean time what can we do as an alternative to your proposed government agency - which would without any doubt - just make things worse?

    We need 3 simple laws (so YES, I think regulation needs to step in). But it need to be simple laws - otherwise they will be abused.

    1) "All offensive action on the internet are a crime - except those performed for research." This puts all the 'cyberwar' actions out of legality as well. We need cyberpeace, not war! And if the government looks as the internet as a weapon, they are out of line, it is a critical piece of infrastructure which should not be abused in such way!

    2) "Companies can be held liable if they don't fix disclosed security holes in reasonable time." One can discuss about what a reasonable time is, and how the disclosure process needs to work. To me it seems that the policy by Google is a good middle ground currently: inform the affected company but if they fail to fix, inform the general public. One could see an additional step where the company is fined for the 'pollution' it causes worldwide. Yes, this also means you, Microsoft!

    3) "If companies discontinue supporting a product or go broke - hardware or software. They need to provide the source code to their customers so they transfer the liability." This means that the cost of software and maintenance goes up. And companies need to weight the importance of the secrecy of their source code versus keeping the maintenance cycle alive. Companies who prefer not to give maintenance for the largest part of the OS running on the device might opt for an OpenSource Operating System which can be independently upgraded aside from their proprietary and maintained application.

    Only if we push for these 3 simple laws, things will change.

    These laws are simple enough for everybody to understand.

    If they will be enough to stop a possible AI overlord, maybe not. But at least we might have a chance against malicious script kiddies and overreaching governments.

  24. Open Source and IoT Regulation? Ironic... by Anonymous Coward · · Score: 0

    security expert Bruce Schneier warned the Open Source Leadership Summit

    The irony about asking for regulation of IoT is that there is a high probability that the way they will "regulate" this is by close sourcing the thing, make it a felony to reverse engineer it in any way, and make it a felony to refuse patches distributed by the company, regardless of what spyware, malware, or bugs they pack into each patch you are now legally required to choke down. And then maybe start moving towards doing the same thing to phones and ultimately PCs.