Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com)

← Back to Stories (view on slashdot.org)

Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot (linux.com)

Posted by EditorDavid on Saturday March 18, 2017 @07:34AM from the Congress-vs-connected-devices dept.

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

24 of 85 comments (clear)

Min score:

Reason:

Sort:

Economics by Anonymous Coward · 2017-03-18 07:41 · Score: 3, Insightful

>But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning.
I highly doubt regulation will cause many iot companies to take security seriously, unless it has some teeth. And then regulation becomes a barrier to entry for smaller companies, so there would be fewer IoT sellers, and maybe that's a good thing according to Schneier.
1. Re:Economics by mentil · 2017-03-18 15:27 · Score: 2
  
  In practice we're going to get 'best-practices' checklists that they check off (self-certified), which are so overspecific (and quickly out of date) that huge classes of vulnerabilities will be completely unaddressed, and others will be 'addressed' inadequately. What we NEED is a provision that if anyone manages to find a vulnerability that grants unauthorized entry, all units must be recalled and installed units shall be refunded (oh and the consumer gets to keep the installed unit). That'll guarantee a bare-minimum of hackable features, and thorough testing of everything put in, rather than "Bluetooth and a full wifi stack on my front door lock" BS.
  The way I see things eventually going is there being a central 'house computer' that controls all of the IoT devices in the home, utilizing some industry-standard protocol for interacting with the IoT devices so that the computer's OS doesn't matter (networkable lightbulbs have had this for decades). There's one central point of failure, but also only one device that needs security updates, and these things will be sold on their quality/length of updates.
  
  --
  Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Professionalize computer science by VikingNation · 2017-03-18 07:42 · Score: 5, Insightful

Many engineers who design bridges, roads, buildings, power systems, etc. are required to get a proefessional engineering certificate. There is no equivalent for computer scientist in the United States. Until there is liability for poor designs and implementation there will be changes to improve quality and security.
1. Re:Professionalize computer science by fisted · 2017-03-18 08:52 · Score: 4, Funny
  
  No, but maybe John von Neumann.
  
  --
  CLI paste? paste.pr0.tips!
2. Re:Professionalize computer science by gtall · 2017-03-18 10:56 · Score: 2
  
  The scale of new bridges, road, buildings, power systems, etc. are dwarfed by computer science applications (those that do not involve new bridges, etc.) To expect the same level of standards is silly. That said, I wouldn't mind better legal ramifications for building something flawed.
3. Re:Professionalize computer science by bill_mcgonigle · 2017-03-18 11:49 · Score: 2, Insightful
  
  Until there is liability for poor designs and implementation there will be changes to improve quality and security.
  Show me the equations that show if a bridge will hold up. Fine, those are well-known.
  Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm, so that a Computer Science "Engineer" can place his professional stamp on one. And remember, nobody will buy Windows that takes thirty years to get out the door at six-thousand bucks a copy.
  Really, though, do you even CS, bro? Besides the software-provability problem, a bridge engineer is not responsible for any shoddy work that is hidden from him by a lackluster construction crew (and no, inspections are not fool-proof if there is professional malpractice occurring).
  You can't simply make a comparison between a static and a dynamic system and declare equivalene. That's as silly as Schnier thinking that regulators will save us from ourselves. He should look into real insurance, strict liability, and/or marketable torts if he wants a system that can actually provide better results.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re:Professionalize computer science by drinkypoo · 2017-03-18 22:58 · Score: 3
  
  Show me the equations that show if a bridge will hold up. Fine, those are well-known.
  Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm,
  There is a reasonable interim step where the programmer proves that they utilized best practices. In some fields there are actually published standards, like say for people making PCMs for automobiles. Toyota got nailed on the unintended acceleration issue largely because they made no attempt to follow industry best practices or even their own internal practices, and their code had numerous bugs which should have been considered show-stoppers as a result. The code was so bad that it would regularly crash and fall back into an internal failsafe mode, and if they had followed best practices, it would have at minimum recovered itself to a sane state, which was not what happened.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:Professionalize computer science by JaredOfEuropa · 2017-03-19 00:01 · Score: 2
  
  This. Also see my sig.
  
  With that said, not having a way to guarantee that your software is secure is no excuse for not exercising established security practices. They may not provide a 100% guarantee but it's better than nothing. A lot of the hacks of IoT equipment that we've been hearing so much about were possible because of inexcusable negligence on the part of the manufacturer.
  
  --
  If construction was anything like programming, an incorrectly fitted lock would bring down the entire building...
Easy fix by Rosco+P.+Coltrane · 2017-03-18 07:49 · Score: 3, Insightful

Don't buy IoT devices. Problem solved.
Everybody knows they offer marginally beneficial services to the user, and massive surveillance and privacy invasion opportunities for big data, unconstitutional government agencies and other sumbitches.

--
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
1. Re:Easy fix by Anonymous Coward · 2017-03-18 08:02 · Score: 4, Insightful
  
  I don't think that 'everybody' knows this. Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.
2. Re: Easy fix by Anonymous Coward · 2017-03-18 08:06 · Score: 5, Insightful
  
  That can be done now. Give it a few years, you won't be able to buy anything that is not made to be connected. Peer pressure, obsolescence and convenient buyback programs will take care of the reticent. It's a done deal.
3. Re: Easy fix by TWX · 2017-03-18 08:17 · Score: 5, Interesting
  
  Half of the water heaters at Home Depot have electronic control panels, and a good chunk of those have WiFi capability.
  Do you trust Rheem or AO Smith to have enough IT security people available to know how to set the default state of these controls so that they're not exploitable?
  
  --
  Do not look into laser with remaining eye.
4. Re: Easy fix by Rosco+P.+Coltrane · 2017-03-18 09:01 · Score: 4, Informative
  
  The thing is, as long as people pay for their own internet themselves, they're in complete control of what gets to connect to their wifi. So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless. And should they ever come with their own connectivity solution that bypasses the users' router completely, well... it's always possible to encase it in a Faraday cage of some sort.
  As for trusting manufacturer with IT security, that's not the only problem: even if they're serious about it and actually qualified to secure your device properly, personally I'm more concerned about what they do with my data - how they snoop on my habits, how they intend to misuse that data, or whom they intend to sell it to.
  If there's a buck to be made, company won't even consider moral or ethical use of the data they collect. That's the only thing you can bet on with big data.
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
5. Re: Easy fix by mentil · 2017-03-18 15:33 · Score: 2
  
  Unfortunately my water heater uses my house's pipes as an antenna. I tried putting up Faraday cage wallpaper (even on the ceiling!), but am unsure what to do about the windows. Oh well, no windows means more privacy, right? Now I'm just worried that I didn't layer enough aluminum foil on the basement floor to stop the mole-drones from snooping on me. Stop trying to hack into my precious, life-giving water! I paid for that, mole-drones, not you! Well, my mom did, but still.
  
  --
  Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Re: Bruce Schneier ... by bradley13 · 2017-03-18 08:09 · Score: 2

Yep. He needs to remember the old adage: be careful what you wish for; you might get it. He says see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation.
Stupid is what he's going to get.

--
Enjoy life! This is not a dress rehearsal.
Re:Dial "F" for Frankenstein by TWX · 2017-03-18 08:18 · Score: 2

Security cameras simultaneously turn off. The UK is particularly affected.

--
Do not look into laser with remaining eye.
Re:Bruce Schneier ... by CyclistOne · 2017-03-18 09:08 · Score: 4, Informative

I don't think Bruce Schneier is an idiot, but otherwise, I tend to agree with this. Read Jacques Ellul ("The Technological Society", "The Technological System") to better understand this.
It is not one giant robot! by Entrope · 2017-03-18 09:18 · Score: 4, Insightful

Schneier gives kind of a "shouting at clouds" vibe. The Internet is not like a truck you load things into or off of, it's not a series of tubes, it's not one giant robot that will turn into Skynet once it achieves sentience.
Internet Green is people! Wait, still the wrong movie, but closer.
The Internet is made up of billions of devices, each with different capabilities, each with their own purpose and "goals", influenced by others in its social network. Some of these influencers are nearby, some are far away; some are humans, some are machines. Some of these machines are robust against malicious interference, but most have weak points.
The Internet does not look or act like a single robot. It looks and acts like a network or society, not a monolithic entity, and talking about it as a monolithic thing encourages unwise reactions.
1. Re:It is not one giant robot! by matbury6017 · 2017-03-18 10:19 · Score: 2
  
  The Internet does not look or act like a single robot.
  Ever heard of the Mirai botnet? Seems to act pretty much like a single robot and it's pretty effective at taking stuff down. And according to Schneier, we ain't seen nothin' yet.
2. Re: It is not one giant robot! by Entrope · 2017-03-18 10:23 · Score: 2
  
  What fraction of a percent of the Internet did that consist of?
  The diversity of IoT devices means that you'll need different attack vectors and payloads to compromise then and then exploit that access. We must not be complacent, but pretending there will soon be a Skynet is unwarranted and counterproductive.
IOT's Creators Are Clueless - Totally Clueless by dryriver · 2017-03-18 09:42 · Score: 5, Insightful

I had a 2 hour conversation last year with an IOT devices engineer who works for a multi-billion dollar Japanese Corporation. They guy didn't think Privacy was important or at risk at all through IOT devices. "Every home will have many of them soon" he said. He thought that realtime 3D face recognition - CCTV networks being able to identify you ANYWHERE IN PUBLIC with great accuracy even if you are not facing the camera, have grown a beard or are wearing a baseball cap - was a great step forward in human technological development. They guy kept talking about "new markets, new profits, a great future for our company". He literally DID NOT CARE what these technologies mean for people's Privacy. Every time I voiced even mild concerns about what these surveillance capable technologies might do to people's privacy, he acted terribly *shocked*. Apparently the corporation he works sees great profits in building IOT, face recog tech & other surveillance capable tech, and my bringing up concerns about them was something he was - wait for it - "uncomfortable with". =) This is what IOT is - faceless, nameless engineers crapping all over other people's lives because the companies that employ them expect a new XX Billion Dollar a year market from them.

--
Why did the chicken cross the road? Because Elon Musk put an AI chip in its head.
1. Re:IOT's Creators Are Clueless - Totally Clueless by Nethead · 2017-03-18 11:53 · Score: 2
  
  I hope that after your conversation you removed said engineer from the gene pool.
  
  --
  -- I have a private email server in my basement.
Re: Bruce Schneier ... by gtall · 2017-03-18 10:53 · Score: 2

Car and truck regulations, plane regulations, food and drug regulations, OHSA regulations, financial regulations, etc.
Without them, you'd be dead.
Re:IoT: The only way to win is not to play by geekmux · 2017-03-18 22:38 · Score: 2

...If you think any legislative solution won't be perverted by mega corps to fuck people over even more your a delusional tool.
Even more delusional is you thinking you still have a chance at winning.
When 99% of the population is being tracked and you choose "not to play", you will be playing by default as the anomaly. You will be easily tracked because you will stick out and it will be rather obvious.
Many people have already accepted this fact, which is why attempting to regulate some constraint around it is the next logical step. If you must live with a monster, then you'll at least try and put it on a leash.