Bruce Schneier Calls for IoT Legislation, Argues The Internet Is Becoming One Giant Robot

"We're building a world-size robot, and we don't even realize it," security expert Bruce Schneier warned the Open Source Leadership Summit. As mobile computing and always-on devices combine with the various network-connected sensors, actuators, and cloud-based AI processing, "We are building an internet that senses, thinks, and acts." An anonymous reader quotes Linux.com: You can think of it, he says, as an Internet that affects the world in a direct physical manner. This means Internet security becomes everything security. And, as the Internet physically affects our world, the threats become greater. "It's the same computers, it could be the same operating systems, the same apps, the same vulnerability, but there's a fundamental difference between when your spreadsheet crashes, and you lose your data, and when your car crashes and you lose your life," Schneier said...

"I have 20 IoT-security best-practices documents from various organizations. But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning. I know regulation is a dirty word in our industry, but when people start dying, governments will take action. I see it as a choice not between government regulation and no government regulation, but between smart government regulation and stupid government regulation."

Economics

>But the primary barriers here are economic; these low-cost devices just don't have the dedicated security teams and patching/upgrade paths that our phones and computers do. This is why we also need regulation to force IoT companies to take security seriously from the beginning.

I highly doubt regulation will cause many iot companies to take security seriously, unless it has some teeth. And then regulation becomes a barrier to entry for smaller companies, so there would be fewer IoT sellers, and maybe that's a good thing according to Schneier.

Professionalize computer science

[VikingNation]

Many engineers who design bridges, roads, buildings, power systems, etc. are required to get a proefessional engineering certificate. There is no equivalent for computer scientist in the United States. Until there is liability for poor designs and implementation there will be changes to improve quality and security.

Re:Professionalize computer science

[fisted]

No, but maybe John von Neumann.

Re:Professionalize computer science

[drinkypoo]

Show me the equations that show if a bridge will hold up. Fine, those are well-known.
Now show me the equations that prove that a computer system is secure, for a non-trivial algorithm,

There is a reasonable interim step where the programmer proves that they utilized best practices. In some fields there are actually published standards, like say for people making PCMs for automobiles. Toyota got nailed on the unintended acceleration issue largely because they made no attempt to follow industry best practices or even their own internal practices, and their code had numerous bugs which should have been considered show-stoppers as a result. The code was so bad that it would regularly crash and fall back into an internal failsafe mode, and if they had followed best practices, it would have at minimum recovered itself to a sane state, which was not what happened.

Easy fix

[Rosco+P.+Coltrane]

Don't buy IoT devices. Problem solved.

Everybody knows they offer marginally beneficial services to the user, and massive surveillance and privacy invasion opportunities for big data, unconstitutional government agencies and other sumbitches.

Re:Easy fix

I don't think that 'everybody' knows this. Most people will buy whatever they see that is attractively packaged on the front page of Amazon or on the shelves at Home Depot, Target, Best Buy, Office Max or the like.

Re: Easy fix

That can be done now. Give it a few years, you won't be able to buy anything that is not made to be connected. Peer pressure, obsolescence and convenient buyback programs will take care of the reticent. It's a done deal.

Re: Easy fix

[TWX]

Half of the water heaters at Home Depot have electronic control panels, and a good chunk of those have WiFi capability.

Do you trust Rheem or AO Smith to have enough IT security people available to know how to set the default state of these controls so that they're not exploitable?

Re: Easy fix

[Rosco+P.+Coltrane]

The thing is, as long as people pay for their own internet themselves, they're in complete control of what gets to connect to their wifi. So, even if all the water heaters on the market had IoT features, it's trivial to keep them offline and harmless. And should they ever come with their own connectivity solution that bypasses the users' router completely, well... it's always possible to encase it in a Faraday cage of some sort.

As for trusting manufacturer with IT security, that's not the only problem: even if they're serious about it and actually qualified to secure your device properly, personally I'm more concerned about what they do with my data - how they snoop on my habits, how they intend to misuse that data, or whom they intend to sell it to.

If there's a buck to be made, company won't even consider moral or ethical use of the data they collect. That's the only thing you can bet on with big data.

Re:Bruce Schneier ...

[CyclistOne]

I don't think Bruce Schneier is an idiot, but otherwise, I tend to agree with this. Read Jacques Ellul ("The Technological Society", "The Technological System") to better understand this.

It is not one giant robot!

[Entrope]

Schneier gives kind of a "shouting at clouds" vibe. The Internet is not like a truck you load things into or off of, it's not a series of tubes, it's not one giant robot that will turn into Skynet once it achieves sentience.

Internet Green is people! Wait, still the wrong movie, but closer.

The Internet is made up of billions of devices, each with different capabilities, each with their own purpose and "goals", influenced by others in its social network. Some of these influencers are nearby, some are far away; some are humans, some are machines. Some of these machines are robust against malicious interference, but most have weak points.

The Internet does not look or act like a single robot. It looks and acts like a network or society, not a monolithic entity, and talking about it as a monolithic thing encourages unwise reactions.

IOT's Creators Are Clueless - Totally Clueless

[dryriver]

I had a 2 hour conversation last year with an IOT devices engineer who works for a multi-billion dollar Japanese Corporation. They guy didn't think Privacy was important or at risk at all through IOT devices. "Every home will have many of them soon" he said. He thought that realtime 3D face recognition - CCTV networks being able to identify you ANYWHERE IN PUBLIC with great accuracy even if you are not facing the camera, have grown a beard or are wearing a baseball cap - was a great step forward in human technological development. They guy kept talking about "new markets, new profits, a great future for our company". He literally DID NOT CARE what these technologies mean for people's Privacy. Every time I voiced even mild concerns about what these surveillance capable technologies might do to people's privacy, he acted terribly *shocked*. Apparently the corporation he works sees great profits in building IOT, face recog tech & other surveillance capable tech, and my bringing up concerns about them was something he was - wait for it - "uncomfortable with". =) This is what IOT is - faceless, nameless engineers crapping all over other people's lives because the companies that employ them expect a new XX Billion Dollar a year market from them.