More Hype
Sounds like more IOT hype just not from the usual suspects.
Can't say I am that worried about IOT security because I still can't imagine a thing that I would have any real use for.
Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier. “Governments are going to get involved regardless because the risks are too great. When people start dying and …
We are witnessing the origin story of the Butlerian Jihad. In real time.
As for me, I am already dead against IoT and I will ensure that neither my fridge nor my toaster nor anything but my PC will ever, ever be connected.
Not without a T-1000 acting as firewall. Emphasis on fire.
The inductors needed to attenuate powerline networking are really huge, and so very expensive.
Back before there was an EU standard written, we did some testing and it turned out that the only affordable way to block powerline is the local substation or pole-top transformer.
Which actually doesn't work anyway because the radiated emissions are such that it's basically wifi.
"The inductors needed to attenuate powerline networking are really huge, and so very expensive."
Really? I fitted a simple mains filter from RS as part of my PC's mains conditioner. When plugged in after it, the powerline networking totally fails. No other unit sees a signal. When the powerline adaptor is plugged in upstream of the filter, it works fine.
The choice is between smart (well-informed) or stupid government regulations
Evidently he's not got much experience of the British government, where our choices are going to be between really stupid and bloody stupid government regulation. Our political decision makers are intellectual lightweights who know so little about IT, science, technology, or even business that failure is baked in to everything they touch.
Evidently he's not got much experience of the British government
I think he's well aware of it, not least because he used to be employed by the BBC. (And the British gov is not the only stupid one in the world.)
But you don't go on stage at a major security conference and call out the government for what they are. It closes all doors for any sort of communication in the future. So you keep your reasoning along the lines of "haven't lost all hope just yet". Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?
Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?
Well, a nice government sinecure keeps the wolf from the door. Take the money, don't do anything, don't rock the boat. If your standards are low enough, working for the government is a dream job.
But on the other hand, when you look at any of the really intelligent guys who become government advisors, the fuckwits of the establishment ignore their advice, and just keep doing what they wanted to do in the first place (eg, Prof. David Nutt, the late, great Sir David MacKay, and more than a few others).
"My house will be reasonably smart, but as such not connected to the Internet."
Fifteen cents the 'chip', plus antenna. Who needs to warn You, miserable consumer?
Better get a good radio scanner.
God! WHERE are we going?
It could pass half a life silent, and when a passing Blue-tooth 'sucking' device Agent pass by....
Reasonably Smart is the way to go. Back in the olden days I went to a network industry conference called Interop. There I stood next to a very odd, but very real Clifford Stoll (https://en.wikipedia.org/wiki/Clifford_Stoll) and another famous network "celebrity" the original Internet Toaster (see https://en.wikipedia.org/wiki/Simon_Hackett). Anyway, I saw the toaster and thought; how fun! It was a laugh, no one expected there to be IP-ladden toasters with RJ-45 connectors next to the Dark/Light knob. But who knows? Now they are coming, and consumers will probably buy them, and make some toast with an app, and have a laugh. But do we really need all appliances working on my internets, then perhaps connecting to the real Internet? (Hi, again elreg. why is it Internet-of-Things, and not internet-of-Things? surely, you have time to hit the shift key for THAT?! :P) Does my TV need an Internet connection? Sure if I want it to view Hulu or other built-in apps, that would be fine, I guess, but I already have dedicated products for that, and with the state of crap firmware and the need to always update, perhaps I'm better off with a dumb TV and smarter, yet controllable smaller devices.
The IoT, or ioT for elreg, is a dream for hardware designers who want to make a thing "smart" at the expense of dumb consumers who think they need that level of control over their devices. However, I think the industry for this is going to come to a realization that most people don't need any of these "smart" products, we just want smarter products and some control over how they gather and send data. There will be a mad dash to get these devices to market before the consumers get wise to the inherent security issues with having a fridge talking to various vendor and affiliated networks for no good reason other than; "oh, you can do your shopping list right from the fridge itself, it scans your barcodes and tells you when you need more milk, and other stupid shit that you could jolly well do yourself, but perhaps are too lazy or stupid." "Lazy and stupid customers!? Where do we sign up for them!" -- Every IoT maker today
It's all coming soon to a supermarket or electronics store near you. Beware. I'll still purchase a new toaster, but it better be happy with firmware v1.0.0 and never EVER getting to see the light at the end of a VPN tunnel. YMMV.
Well personally I'd rather do things properly. Businesses decide who does what when and they're not particularly interested in fostering a culture where things take longer than the bare minimum to get done.
“We’ve allowed programmers to have this special place in society to code the world as they see fit,” Schneier said.
Bruce seems to be not enough advised about the State of Affairs at IT. Coders DOESN'T code the world as they see fit. At least as a profession. Bruce is looking at the wrong side of the Company, Corp.
On Bruce behalf. Coders ARE, and have been indolently, unprofessionally, unethically playing the card: Did what was ordered to do.
Sooner or later it will hit the fan big time. Cars will be hacked and forced into accidents, houses set on fire or otherwise damaged. Personally I don't want any IoT in my house, ever; but that assumes that IoT-free housewares will always be available. Most TVs on sale now are internet connected and the gullible public will likely slowly uptake more IoT products over time; they may not have much choice in the end, e.g. so called "smart meters" being forced onto everyone.
The hackers will range from bored kids having fun messing with your appliances from the comfort of their bedrooms to organised hacking by foreign governments and terrorists. Even "friendly" governments and our own might not pass up the opportunity to eavesdrop on the proletariat via whatever means IoT provides.
Programmers will continue to be under pressure to churn out code that "works" without necessarily having good security in place. I can't conceive of how secure coding could be legislated, checked or enforced by law.
Governments will eventually act, in their usual clueless manner, passing laws that miss the point and just make life difficult for everyone. I don't see any happy outcome from IoT. Even if good security is baked in, security holes are likely to turn up and require patching, which in turn opens up another can of worms allowing external access to the core of IoT devices.
IoT is just a slow motion train wreck, however you look at it.
I'll just add that IoT may not just be a metaphorical train wreck, if you end up with IoT embedded in railway signalling, automated crossings and track changing equipment, the outcome may be far more serious. When IoT is incorporated into critical infrastructure, the you are risking more than a "blue screen of death" or system crash.
Yep, one way or another, we're doomed. The irony is not lost on me - civilisation will not end with a bang (aka global nuclear war as envisioned in nearly all the SF from the mid 1940ies to the late 1980ies). It will end with our smart toasters burning down our houses (after ratting us out to the ever increasing surveillance state), with our smart fridges cleaning out our bank accounts by ordering a 100 year supply of groceries, with our smart lawnmowers mowing down our pets, with our self driving cars blocking the roads to hospitals and power stations, and so on. Future historians, if and when a new civilisation arises from the ashes of ours, will call our era 'the stupid times'.
In the 20 or so years I've been in the IT field, much of which has been doing systems integration work on really crappy software, I've often wondered why we don't have some sort of PE-style licensing arrangement. This would in my opinion get around "regulations" forcing people to code a certain way, by making individual practitioners responsible for the abominations they write. The second you try to regulate something like coding methodologies, it'll be obsolete overnight. Let's say you're able to replace the hodgepodge of educational backgrounds out there with a reasonable set of prerequisites. Make sure people actually understand what the stuff they're writing does when run on real-world systems.
I fall into the self-trained camp, but I would welcome the opportunity to make my education more formal. PEs require an engineering degree, experience and a licensing exam as a minimum barrier to entry. I'd say that beats coder bootcamp and stackoverflow reading any day of the week.
And, as much as malpractice lawsuits scare me, the idea of personal responsibility for bad work holds value for me. One thing about our field that drives me nuts is watching someone screw something up, entirely their fault, then get fired, then land another job a week later with a hefty raise. Mistakes shouldn't be able to be covered up by cleaning up your resume and applying somewhere else.
It would also require a shift in management policies. Programmers often work to a list of priorities and deadlines specified by their line manager. Whereas a surgeon who is professionally responsible will take as long as required when operating on his patient, would programmers be given the same freedom and flexibility? If managers prematurely say a project is "good enough" to release before the programmer is happy with the security what then? A programmer who refuses to sign off prematurely may find himself replaced with others who would. Who would be responsible in the event of an IoT disaster resulting in the loss of life? If a programmer is working as part of a team, you could end up having to sign off each line of code you wrote. Which line is responsible for an IoT disaster? It may be far from clear with many interrelated modules developed by many different programmers plus third party software components.
Also, with much of the focus nowadays being on outsourcing programming to the cheapest programming-factory in India and elsewhere, would there really be the required focus on sound security practices?
PEs also require that you are supervised by a PE.
So great if you are a mechanical engineer at Ford, trickier if you are at a startup.
Although it works great for us. It neatly divides each new graduate crop into those that eventually want a nice safe job in local government (where professional status is required for all managers) and so go and work for whatever large utility will tick all the PE boxes. And those that actually want to make something new and interesting.
... the idea of personal responsibility for bad work holds value for me ...
You're not talking about responsibility, you're talking about accountability.
Making individual developers accountable for failings in their software will ensure that people get punished for doing bad work, but it won't prevent bad work from being done -- just ensure that the same people don't do bad work twice!
To ensure that a piece of work will be good you need first to have the will to make it good, knowing that it would be cheaper to make it bad. You then need to foster a culture in which quality is a primary goal, one in which short-cuts are NOT taken, one in which testing is part of the development cycle. Everyone involved in a development project should understand what the product is meant to do, what it's for, how it will be used, how its components fit together, what might go wrong with it in operation, and what might be done TO it in operation. Assumptions must be challenged.
Yes, I think professional certification would be good for our industry if only because it would mean that the people doing the actual work would be able to demand some respect from the people they work for, and having management with the same qualifications would mean that our managers will actually understand what you're talking about when we go to them to discuss technical problems.
As assumption in mechanical engineering is that madmen with spanners won't clamber all over the machinery undoing the nuts and bolts, yet this -- or something analogous to it -- is exactly what happens in software. We need better defences in software.
The way to ensure that the defences are built is to make companies -- not individuals -- accountable for the failing of their products. Set down legal standards that must be adhered to, with which individual software and hardware products must comply. Something like a BSI kitemark, but as a legal requirement. It'd add a layer of -- unacceptable, to some -- beaurocracy, but it's the only way to keep the cheap shit off the streets.
Your new lightbulb connects to the internet? Well, then, it must employ some access control, it must use encrypted connections, it mustn't expose any unnecessary interfaces, it must pass a certain basic set of penetration tests. If it doesn't pass the tests you can't legally sell it. If building it to meet the standard makes it too expensive for the market then perhaps you should have thought of a more commercially viable product in the first place.