Slashdot Mirror
We Must Slow Innovation in Internet-Connected Things, Says Bruce Schneier (technologyreview.com)
Bruce Schneier argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought. Schneier made these arguments in his new book titled, Click Here to Kill Everybody which is on sale now. Here's an excerpt from his interview with MIT Technology Review: Technology Review: So what do we need to do to make the Internet+ era safer?
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
Schneier: There's no industry that's improved safety or security without governments forcing it to do so. Again and again, companies skimp on security until they are forced to take it seriously. We need government to step up here with a combination of things targeted at firms developing internet-connected devices. They include flexible standards, rigid rules, and tough liability laws whose penalties are big enough to seriously hurt a company's earnings.
Technology Review: But won't things like strict liability laws have a chilling effect on innovation?
Schneier: Yes, they will chill innovation -- but that's what's needed right now! The point is that innovation in the Internet+ world can kill you. We chill innovation in things like drug development, aircraft design, and nuclear power plants because the cost of getting it wrong is too great. We're past the point where we need to discuss regulation versus no-regulation for connected things; we have to discuss smart regulation versus stupid regulation.
Technology Review: There's a fundamental tension here, though, isn't there? Governments also like to exploit vulnerabilities for spying, law enforcement, and other activities.
Schneier: Governments are certainly poachers as well as gamekeepers. I think we'll resolve this long-standing tension between offense and defense eventually, but it's going to be a long, hard slog to get there.
I give the book five stars based solely on the title.
I strongly disagree. You should do your own research and refuse to buy inferior products. If you get hax0red its your own fault for buying crap from china and not securing your own equipment
In the car world if manufacturers make a mistake they can be forced to recall the vehicles. In the device world you can release something and wash your hands of it.
We want you to lock everyone else out of the device - but us! ... so our intrepid developers put 200+ back doors in their devices. One for every government that asked for it,
With admin names like:
UnitedStates-BackDoor-KeepOut
Yemen-BackDoor-KeepOut
VaticanCity-BackDoor-KeepOut
Canadia-BackDoor-PleaseKeepOut
Russa-BackDoor-NothingToSeeHere
Oh, and the passwords for all the backdoors? - 1-2-3-4-5 No one read the email that said that the Govt's were to change the password to something only they knew when they hacked the device to put their own spyware on it.
Finally, some I-D-10-T left the spreadsheet for said back doors out on a public Dropbox, Azure, AWS, GoogleDoc,location so that they could work on it from home.
Seriously, What could possibly go wrong...
Fred In IT
All the same old tired stupid mistakes are made again in the IoT space. It is really quite stupid.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
The problem isn't innovation, doing new things is good. The problem is not learning from the old things. The mistakes the IoT vendors are making are all mistakes that have been made before. Looking to the future is positive, so long as you don't ignore the past.
We don't need to slow down innovation. We need to put more emphasis on history. Ironically this could actually speed up innovation since less time would be spent fighting fires.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
These attempts to postpone the coming technological singularity and save their own... everything will not be successful, and are not acceptable.
Accelerate.
The simple and obvious fix for IoT security is for a bunch of open source security experts to build something basic and give it away under a free licence. If it's well documented and saves the company having to develop their own, they'll use it. Everyone wins.
Almost.
IoT is going to end up a security sinkhole, with devices devoting 2/3 of their code to security, and 1/3 to actual functionality. Unfortunate but necessary.
But failed security won;y be solved by regulation. Small manufacturers will suffer because when they get it wrong they will be crushed. And consumers will suffer because they will be stuck with failed devices and lost money.
Ultimately regulation of IoT will look more like rent-seeking than protection, since punishing manufacturers for security failures has, in the past, only resulted in abandonment of failed devices. These things are so simple they are not work fixing most of the time.
Or will we see future IoT devices that can actually be maintained? Those attractive, simple, cheap-ish things like door locks have so far proven to be unable to be 'fixed' in most cases. I'm not hopeful. But there are going to be successful security models, probably based on local gateways, and will come with fully featured vendor lock-in and captivity to the whole infrastructure that is vendor dependent. Probably unavoidable, since security is a huge problem for everything Internet.
deleting the extra space after periods so i can stay relevant, yeah.
If we're talking consumer applications, most of the shitty IoT concepts aren't innovative in the slightest, they are just slapping a wifi chip onto the side of a pre-existing product. The societal benefit of holding manufacturers responsible for their bugs far outweighs missing out on iteration #48,294 of a networked baby monitor or washing machine.
Because people noticed that they get killed in death trap cars. Unfortunately, insecure IoT bullshit hurts pretty much everyone BUT the idiot that runs it.
I still say the drunk driving comparison is apt, usually the asshole wino survives the crash while the pedestrian he mows down does not.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
All these IoT devices are just mini time-bombs waiting to go off. When they get hacked / p0wned will politicians FINALLY realize that allowing devices on the internet with none, or very little, security was a bad idea???
This is why I call Internet-of-Things with a more accurate one: In-waiting of Tragedy
Because when enough people's fridges, thermostats, stoves, etc. get hacked it will be hell.
Yep, it's a catchy title. Bruce is generally a smart guy, so I'm surprised to hear him start the interview with a statement that is flat out wrong on the facts. More than that, anyone who knows a little history KNOWS it's wrong.
"There's no industry that's improved safety or security without governments forcing it to do so.", he began.
Has Bruce never heard of Underwriters Laboratories (UL listed, UL registered, etc)? Underwriters means insurance companies. That's not government, that's insurance companies offering guidance and an incentive. How about the National Fire Protection Association, which writes the fire codes? That's another safety organization started by insurance companies, and insurance companies wouldn't insure a building unless it met fire code. Later, local governments ALSO said "me to", but the NFPA and fire codes were created by insurance companies, not government.
The auto companies were advertising safety innovations for half a century before there was any major legistlate. From Dusenberg advertising hydraulic brakes in the 1920s to Ford marketing safety glasses in all its cars in the 1930s to padded dashboards, safety cages, and disc brakes in the 1940s - it wasn't until the 1960s that the government got involved.
So it's simply factually incorrect, plain wrong, to say "There's no industry that's improved safety or security without governments forcing it to do so". My side gig is pyrotechnics, fireworks. A LOT of what we talk about and work on in the industry is safety, sometimes talking about how to convince the government official to allow us to do things the safer way rather than insisting on outdated procedures, or things that are a bad (dangerous) fit for the situation.
Yes, you can find examples of industries that improve safety reactively as a marketing ploy in response to bad press from an unfortunate incident (for example, tamper-proof packaging after the Tylenol poisoning incident in the 1980s). Getting them to do it proactively (i.e. before something really bad happens) generally requires government intervention, and that is what we need here. Also, once the bad press goes away, the safety measures often do as well unless regulations have been updated to require them.
Support Right To Repair Legislation.
https://en.wikipedia.org/wiki/... "The Clipper chip was a chipset that was developed and promoted by the United States National Security Agency[1] (NSA) as an encryption device that secured “voice and data messages"[2] with a built-in backdoor. It was intended to be adopted by telecommunications companies for voice transmission. It can encipher and decipher messages. It was part of a Clinton Administration program to “allow Federal, State, and local law enforcement officials the ability to decode intercepted voice and data transmissions."[2] “Each clipper chip ha[d] a unique serial number and a secret ‘unit key,’ programmed into the chip when manufactured."[2] This way, each device was meant to be different from the next. It was announced in 1993 and by 1996 was entirely defunct."
I don't think we have to rely on archaic notions of what is secure. I don't think we need to suffer with medieval concepts of what was reliable.
It's perfectly reasonable to expect IoT technology to strictly exceed the standards taught in the 1980s, simply because those standards are 40-odd years old. We've learned how to build things better since then.
The law can reasonably enforce certain standards. There are standards out there, for coding and security. Some, like MISRA, are regarded as correct only in places. But they are published and are used by real people for real projects.
The obvious solution is to commission the NSF to draw up some core standards, using the existing ones as templates:
One set of rules for all I/O, probably based on CERT's secure programming and FIPS.
One set for low-criticality systems, I'd argue 5N reliability is all you need for that.
One set for high-criticality (medical implants, for example), probably using only vital, universal, elements from MISRA, JSF+ and DO-178C. Emphasis on vital, universal. You don't want rules here that are frivolous or domain-specific.
One set for split role devices. I'd probably use ideas that are still relevant from the Rainbow Series.
Such a group may decide that a given set is the empty set. That's fine. That means regulations don't make any sense at that level and that's worth knowing.
The rules should be minimal, no group should have more than ten rules. I don't think anyone can seriously object to ten rules programmers came up with in the first place.
By using existing, established, rules, most can be checked automatically, making it a cinch to validate and certify.
Is it enough? Probably not, but that's not the point. The point is to create a starting point and enforce minimal standards superior to what is currently used but trivial enough to not impose an excessive overhead.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
That is irrespective of whether one user is a grandma trying to email to a relative, an individual buying a product, a city's traffic light network, a government department, a car or a battleship
This is a ridiculous situation to be in. We segregate road users for their own safety (and that of others) and in order to provide facilities that are appropriate for each type of user. What we don't need is a one-size-fits-all security model. We should be separating out the various forms of network traffic into physically discrete networks. Maybe even to the extent of having multiple networks with little or no cross-over between them.
This would be especially apt for a break between commercial and non-commercial traffic. Or between government and civilian use. And especially between safety-critical infrastructure and everything else.
The concept of an "internet" is past its useful life. The whole structure never took security seriously and was designed more around trust than enforcement. It is past time to move a LOT of stuff off the public network and to make it harder for grandma to accidentally email the Pentagon's National Military Command Centre - just like it isn't (I hope) possible for someone to accidentally walk in through its front door.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
Are in a position to shop between implants, and there's obviously millions of vendors.
And, of course, stores carry an entire department of wireless routers, not just three boxes between two near-identical vendors who offer no information and have secrecy clauses on everything.
Find any good OpenBSD-based thermostats on Amazon? Thought not.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
You know those pointless noise-maker car alarms? It used to be that only douches have those. When I bought my car in '07 it never occurred to me it would come with one. It did. I never asked for it. They didn't warn me. The damned thing has pissed me off and sent me into a rage on several occasions. I went to the dealer and they said they could fix it when they're security specialist was in, or some bullshit like that. They acted like it was serious business. It's a fucking noise maker that pisses me off.
Many cars come like this; perhaps all of them. I'm still waiting for the magic of the free market to fix it for me.
Your libertarian philosophy does NOTHING to defend us against the collective decisions of powerful private interests.
Let me repeat. NOTHING. I'm not "free to replace google" or "free to replace Honda", because that's an unrealistic goal for almost everybody. For the few who may achieve such things? They are in on the racket.
The only way for regular Joes like us, the only realistic shot we have, is to regulate those douches.
Get it through your damned libertarian skulls.
Thieves break into financial networks on a regular basis. They pay a lot of people a lot of money to prevent this, but it still happens. There is no one to prevent some 12 year old script kiddie from turning your 'smart refrigerator's' temperature all the way up. No to mention the vastness of security camera botnets and how manufacturers spy through smart TVs...
Is it that hard to air gap IoT devices? I'm not concerned about someone hacking into my cameras, you should see all the bullshit those cameras want to send back home. IoT devices will never be secure. Why even fight that battle?
>There's no industry that's improved safety or security without governments forcing it to do so.
How about PCI (Payment Card Security Standards)? This is one of many examples where industry has self imposed security standards without being forced by government.
I personally advocate a happy medium on regulation, but that statement seems to demand the creation of a police state and I have to speak out against that horrible idea.
Greed is the root of all evil.
... largely in denial.
Regulation is not going to stop anything in a nation that worships corporations. It's in too many big companies interest to spy on everyone and remove their ability to own their own software. Mere regulation isn't going to help jack squat. The best security is not to have software and hardware unnecessarily connected to the internet for instance.
If we were really interested in security drm would not be a thing and all game would be be able to be playable offline. The best security is not to put it on the net in the first place. Too many big companies have too much power and mere regulation is not going to do jack shit in government that is bought and owned by corporations. Like the man wasn't paying attention to the bail outs of the big banks in 2008 or the last 40 years of repeals of various acts that were designed to protect the public.
If all IoTs meet some baseline security on, say, Day 1, new attacks will be found on Day 2 if not before the item ships
How do you keep your things current with the latest challenges?
If the manufacturers have hidden paths that allows them to update remotely, that code will just be a new way to hack the device.
If the manufacturers send you a new plugin with the updated code for your light or refrigerator, you get to fix each each device.
We don't need to slow down innovation. We just need the universal understanding that proprietary software in these devices is not acceptable.
usually the asshole wino survives the crash while the pedestrian he mows down does not.
Far more drunk pedestrians are killed by sober drivers than vice versa. Pick a different example.
Socialism: a lie told by totalitarians and believed by fools.
... argues that governments must step in now to force companies developing connected gadgets to make security a priority rather than an afterthought.
Banks, anyone? How about fast food joints and places like Target?
Yahoo!?
Equifax?
No?
OK.
It little behooves the best of us to comment on the rest of us.
> Remember the introduction of seat belts? Yeah, that had to be mandated
Seat belts were a highly advertised feature. Later, it was such a popular feature that gas stations sold them for installation in order cars, much like large stations sell aftermarket cupholders today.
Here's a Chevron ad, only $5.95 for this great seatbelt:
https://www.thrillist.com/vice...
After Ford was putting the belts I all of their cars, and after owners of older cars picked up the new-style seatbelt from the corner gas station, then the government said "oh yeah, that's a good idea. Let's mandate that."
We can require everyone to use formal methods, but don't expect any updates to OpenSSL/LibreSSL this decade.
It would cost $2.4 billion to reduce the bug density in the Linux kernel to 0.00045 or less and keep it there for a year.
Current status: https://scan.coverity.com/proj...
That's very nearly bug-free. It would actually be 100% bug-free in all components that don't require features that are inherently unreliable. The government could afford it, most corporations could not.
I would actually like that for Linux, have a huge program to perform a proper detailed clean-up of the entire kernel. No loss of functionality, just a loss of bugs. It's used in many important areas and no system can be more reliable than the OS it uses.
But you can't ask people to design KDE that way (although they could design it better), nor could you ask a commercial vendor like Oracle to get their database to that standard. Only a government has the money needed and even then only for a few projects.
When it comes to encryption, it's worse. We don't know what constitutes good, we only know some things that constitute bad. Same for authentication. Ergo, we can define minimum standards by defining what is bad, but we can't define anything better.
Open source doesn't help, since nobody does test driven development and almost nobody tests. Documentation is dreadful. Want to show otherwise? Sure, go ahead. Reply to this with a file in CPNTools format that shows the full state machine for the IPv6 stack. That should be easy, you have RFCs showing the datagrams and state changes.
Such a diagram can be drawn, but not by anyone here in any sane length of time. That's full-time work for a large team of high-end experts.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
in the airline business there's huge government safety overhead because lots of people die otherwise. in iot they don't die. we don't need standards. we need smarter consumers. buy junk, get junk. doh.
nothing to see here - move along
They're not the problem, they are at least responsible for it themselves.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
That was entertaining, thanks.
Watching my young daughter has taught me some things. Such as:
> And law of torts begat liability.
Two year olds very much understand "it's your fault and I'm mad at you", liability for harms done is not an invention of government.
What I thought was interesting is that two year olds will get really mad if another two year old copies their drawing (scribble) or song. Copyright seems to be instinctual.