back to article Bruce Schneier: The US government is coming for YOUR code, techies

The Open Source Leadership Summit began on Tuesday amid roads closed by a landslide: held in The Resort at Squaw Creek near Lake Tahoe, California, it was not easily accessible to attendees traveling Highway 80 from the San Francisco Bay Area. During his opening keynote, Jim Zemlin, executive director of the Linux Foundation, …

  1. The Man Who Fell To Earth Silver badge
    FAIL

    Well, maybe we should not put software in everything

    Car's critical control systems don't need to have Internet access. If it needs updating, require a cable so it can be isolated from all the car electronics that do have remote access, like the radio.

    My phone does not need to talk to my fucking toaster, refrigerator, MixMaster, light bulbs nor my door knobs. Nor to my pace maker. Again, need to offload data from a medical device? Require a cable or very very near field (encrypted) if it's an implant.

    Just because one can put software in a flower pot to make it "smart", doesn't mean doing so does anyone any good.

    1. a_yank_lurker

      Re: Well, maybe we should not put software in everything

      IoT = Idiocy of Things

      More to the point of another feral bureaucracy, why would anyone expect competence from a group which is known for their incompetence? That is the definition of insanity.

      1. John Smith 19 Gold badge
        Unhappy

        IoT = Idiocy of Things

        Nice.

        Better than my current favoured "Internet of S**t"

        Still don't like the idea though.

    2. Orv Silver badge

      Re: Well, maybe we should not put software in everything

      I don't think it's realistic to expect car systems to be completely air-gapped, because a lot of features in current cars rely on getting information from the ECU -- e.g., services like On*Star need to detect airbag deployment and be able to pull trouble codes; satnav systems sometimes use speed and steering wheel angle data to improve accuracy. But I think more attention needs to be payed to security on interfaces like CANBUS. Ideally each module would have a whitelist that allowed only certain commands from particular modules. e.g., maybe the On*Star module has only read-only access to the ECU, but enough read/write access to the chassis computer to command it to open the door locks. That would at least lessen the impact of a compromise. OTA updates should be out of the question.

      It's also worth noting that air-gapping doesn't necessarily make badly written software *safe*, as Toyota demonstrated. There are more threats involved here than just hackers.

      1. Tomato42
        Boffin

        Re: Well, maybe we should not put software in everything

        @Orv: there is an idea of a "data diode", where data can go just one way, but not the other. So it is possible to extract the data without being able to influence the systems that provide it.

        And sure, it's possible that the "diode" will be badly designed and you will be able to overload it or crack it to influence ECU from the entertainment system, at least it won't be simple. Car makers need to start designing for security, not only safety.

        1. Lord_Beavis
          Linux

          Re: Well, maybe we should not put software in everything

          "Car makers need to start designing for security, not only safety."

          And where Microsoft is concerned, the would need to do the same except not just for the money.

        2. The Man Who Fell To Earth Silver badge
          Go

          Re: Well, maybe we should not put software in everything

          @ Tomato42

          An optical data diode, where an LED blinks at a phototransistor, especially where each side of the optical link has a separate power supply, is pretty damn good as a "one way" data link. There are even analog versions. They have been around for decades, usually as a form of "opto isolator". You can even find power supplies isolated this way. In the early 1990's, I worked for a company where for EMF shielding purposes, we bought power supplies that basically were a laser fired up an optical cable into a solar cell. The output of the solar cell was locally voltage regulated & filtered. Isolated the power supply damn well from the mains, as there wasn't even a common ground..

        3. bazza Silver badge

          Re: Well, maybe we should not put software in everything

          @Tornado42,

          Car systems already use "data diodes" to separate critical systems from non-critical stuff like the radio, etc. They're generally not optical as one normally perceives a data diode, but they aim to accomplish the same end result.

          Mistakes in implementing this separation is what cost Fiat-Chrysler a $500million fine.

        4. Doctor Syntax Silver badge

          Re: Well, maybe we should not put software in everything

          'And sure, it's possible that the "diode" will be badly designed '

          That would take some effort. All that would be needed would be an API with a read function and no write.

      2. Anonymous Coward
        Meh

        Re: Well, maybe we should not put software in everything

        I don't think it's realistic to expect car systems to be completely air-gapped, because a lot of features in current cars rely on getting information from the ECU -- e.g., services like On*Star need to detect airbag deployment and be able to pull trouble codes; satnav systems sometimes use speed and steering wheel angle data to improve accuracy.

        It is a question of trade-offs. e.g. If you want a sat-nav able to read speed and steering angle from the engine, then you should be prepared to accept the trade-off of dying horribly in a hacker-generated car crash.

        My trade-off would be to have a slightly less accurate sat-nav.

        1. AndrewDu

          Re: Well, maybe we should not put software in everything

          my trade-off would be to read the Sat Nav and drive the damn car myself. You'll need to stay awake, sober, and alert anyway (oh yes you will, whatever they say) so you may as well.

        2. Nick Ryan Silver badge

          Re: Well, maybe we should not put software in everything

          It is a question of trade-offs. e.g. If you want a sat-nav able to read speed and steering angle from the engine, then you should be prepared to accept the trade-off of dying horribly in a hacker-generated car crash.

          Why would a sat nav being able to "read speed and steering angle" allow hacker generated car crashes? If the sat nav could in turn control the vehicle's speed or direction then, yes, but otherwise these should just be additional input data streams into the sat nav's system.

          /confused

          1. Anonymous Coward
            Happy

            Re: Well, maybe we should not put software in everything

            Why would a sat nav being able to "read speed and steering angle" allow hacker generated car crashes? If the sat nav could in turn control the vehicle's speed or direction then, yes, but otherwise these should just be additional input data streams into the sat nav's system.

            If the car just passively broadcast this information without any communication from the sat nav to the car, then fine, but that isn't the usual design philosophy.

            A typical architecture is a bidirectional data link where the car receives commands and responds to them. If there is a route to access safety critical systems in the car from anything connected to the Internet (which a sat nav might very well be), you could not be confident that the car could never respond to carefully crafted malign commands. These might do things like interfere with the steering or vehicle speed.

            It might not be what the automobile systems designers intended, but building secure systems is extraordinarily hard, and this sort of attack has already been demonstrated, for example https://www.theregister.co.uk/2015/07/21/jeep_patch/

      3. Kiwi
        Boffin

        Re: Well, maybe we should not put software in everything

        e.g., services like On*Star need to detect airbag deployment and be able to pull trouble codes;

        That sort of thing doesn't need write-access to other system memory though! Back in my BBS days my autoexec.bat file looked for various "flag files" which would be created before the machine was rebooted for various events, eg weekly system maintenance - effectively "If exist maint.flg call maint.bat"

        The content of "maint.flg" could be anything, the existence of the file was the critical thing.

        Of course, things like pulling codes can be done just as easily - the OnStar tracking system can monitor the content of files that get updated by other systems as needed - RO to OnStar but writeable to what needs it. And FFS check sizes. If you're expecting a single byte then read no more than a byte.

        (Yes, I do know bounds checking etc can be tricky and there can be things you never consider that become common place in RealWorld situations - but some limits aren't that hard to code and decent effort should be taken!)

        Actually much of the concerns over car computer failures would be quickly dispelled if this drive-by-wire sillyness was done away with. Steering and brakes directly connected please, and if necessary a "hard stomp on brakes shuts off power to fuel pump, injectors, and (for petrol engines) ignition system" system. Physical isolation, not some electronic jiggery-faultery.

    3. Oh Homer
      Big Brother

      Re: Well, maybe we should not put software in everything

      Or maybe we should just code everything outside the grasping jurisdiction of the US.

      1. Updraft102

        Re: Well, maybe we should not put software in everything

        "Or maybe we should just code everything outside the grasping jurisdiction of the US."

        You think there is something unique about the US government that makes it a threat to liberty beyond all others?

        ALL governments are like this. Government is inherently evil; a necessary evil, but evil all the same. The more power a government has, the more power it wants, and the more likely it is to use that power to get still more power. Those in power begin to have a conceit where they believe their judgment is better than everyone else's, and that the world is genuinely in need of anything that would substitute their insights for those of the unwashed masses (us).

        What do you think we oft-downvoted people have been trying to tell you folks that seem to think that more government involvement in any given area solves problems? Government is not the answer to problems... it's the cause of them! The more you clamor for government to regulate this or that, the more you convince the government creatures that modern society demands that our "betters" make all the decisions for us, what with us being so bad at it and all.

        Since government is a necessary evil, we can't get rid of it, but we can make it less likely to get powerful enough to do what this article discusses. When the US was formed, it was to be a federation of the states. Most governing would be done at the state level, with only a few specifically noted powers that were the exclusive domain of the federal government (federal, meaning related to a federation). The idea was to keep the power decentralized and the fed relatively weak, so that it would lack the power to do things like what we're talking about here.

        Over the decades and centuries it has grown into a de facto national government, with only a few vestigial remnants of the federalism that was the basis upon which the entire country was founded. Now it's this out of control juggernaut that just does whatever it wants, regardless of what anyone wants (even the president). Any government WILL get to that stage and beyond if you allow it.

        If you see any parallels between the US government of time past and the current EU, you win the "I've been paying attention" award for today. The EU is a federation where most of the government is supposed to be done at the state level too (as in nation-state), but like the US government, it's evolving, consolidating its power one step at a time, replacing the sovereignty of the member states with its own.

        You don't want to let any government get that powerful. Take any one government in the world and grant it the power the US government has, and I guarantee you it will behave no better than the US government does, and possibly a lot worse (depending on which one you picked).

        1. strum

          Re: Well, maybe we should not put software in everything

          >You think there is something unique about the US government that makes it a threat to liberty beyond all others?

          Er, yes. You mention it yourself - power. As we know, power tends to corrupt, and the USA is the most powerful nation the world has ever seen. How could we imagine that it could be other than the most corrupt?

        2. NantucketClipper

          Re: Well, maybe we should not put software in everything

          It truly is amazing the number of down-votes you received for your well-written, logical post. Oh well...

        3. Oh Homer
          Headmaster

          Re: "unique US government threat to liberty"

          Yes, it's called Trump.

          Certainly the hysterical paranoia over "terrorism" (that thing that's 17,600 times less likely to kill you than heart disease) is not unique to America. Uniquely belligerent, yes, but not entirely unique.

          And the US government is also not unique in its violation of civil liberties, but (again) its violations are far more pervasive (basically the entire planet), largely due to being better funded (trillions of taxpayers' dollars).

          Basically, the US is a uniquely belligerent warmonger, that has declared everything even remotely not American to be "the enemy", then for good measure included everything that is American anyway (i.e. the entire population of the US), just in case, by militarising the police, having the highest slavery "incarceration" rate in the world, then spying on everyone for good measure. It isn't the only violator, but it is easily the worst, quantitatively speaking.

          Is this the inevitable consequence of government - any government - in principle?

          No, not really.

          When was the last time Denmark bombed, invaded and occupied anywhere, for example? When did Sweden blatantly lie about WMDs, then use that lie as a pretext to commit genocide on millions of innocent civilians? When did Iceland bail out the criminal bankers that brought us this grim era of "austerity", then declare war on the poor ("If you feed them, you breed them")? When did Norway commit collateral murder on children using killer drones? How many "regime change" operations has New Zealand conducted recently? How many "black sites" does Belgium currently use for kidnapping "extraordinary rendition" and torture "enhanced interrogation", on average? How many nuclear weapons has Finland dropped on civilian populations recently? How many Cold Wars have been created by the Netherlands, then used as a template for neoliberal policy to infest the rest of the world through "special relationships" and "trade deals"? How much illegal surveillance does Switzerland conduct on US (or any other) citizens, approximately?

          The principle of government is not the problem, it's just one government in particular, one that lacks any accountability, because it isn't even remotely democratic, it's mostly controlled by corporate lobbyists.

        4. find users who cut cat tail

          Re: Well, maybe we should not put software in everything

          > You think there is something unique about the US government that makes it a threat to liberty beyond all others?

          Yes, raw power and world influence combined with awareness of them.

          Governments of small countries may be equally evil. But their ability to influence global developments (such as IoT) is pretty limited and they rarely think and act on world scale. And yes, the US is not even really *unique* in this regard, but still a member of a very small select group.

      2. AdamWill

        Re: Well, maybe we should not put software in everything

        Um. Because, what, other governments don't have a track record of regulating things that have an impact on human safety? There's no food standards agencies in other countries? Health and safety agencies? Hazardous chemical regulation?

        Schneier is perfectly right, and people just waving stupid ideological flags about 'hur hur the government's always incompetent hur hur' isn't going to achieve anything.

      3. bombastic bob Silver badge
        Pirate

        Re: Well, maybe we should not put software in everything

        "Or maybe we should just code everything outside the grasping jurisdiction of the US."

        Or, for those inside the USA, to express OUTRAGE to politicians when necessary (in the form of direct mailing - a well crafted independent hardcopy snail-mailed letter actually has a pretty good impact, because you took the time to do it), and to put everything you do in public places so it can't be erased, EVAR.

        and include some legal disclaimers like "AS-IS" and "NO LIABILITY" in the accompanying docs.

        GPL already has something like that in there, last I looked.

        it's not easy to govern against the will of the governed. it ultimately FAILS. And the LAST thing we need in the world of SOFTWARE is GOVERNMENTIUM. The 2nd last is a tollbooth, but Micro-shaft seems hell-bent on making THAT happen with their 'certification', but I digress...

    4. martinusher Silver badge

      Re: Well, maybe we should not put software in everything

      Real time software is engineering that just happens to have a logic component implemented in software. Unlike a typical desktop application its not a standalone program but a component in an overall system and to understand the code you have to understand the system. Its one of those things that's obvious to practitioners but difficult to explain to people who mostly write applications (and why its so difficult to find people who can write this type of code).

      Contrary to popular belief it is really easy to make reliable real-time code and its also easy to prevent it from being corrupted. That these things happen is caused by sloppy software engineering -- or rather, the invasion of applications programming techniques into components where they don't belong.

      1. Doctor Syntax Silver badge

        Re: Well, maybe we should not put software in everything

        "Real time software is engineering that just happens to have a logic component implemented in software. ...Contrary to popular belief it is really easy to make reliable real-time code and its also easy to prevent it from being corrupted."

        Why not implement it in hardware with an ASIC? Presumably in order to be able to make maintenance changes later. And that way lies a risk. The initial design might be well written reliable code but all too often maintenance is seen as a not very interesting job that gets given to juniors and gradually your original well written reliable code becomes badly structured not very reliable code.

        1. Ken Moorhouse Silver badge

          Re: Well, maybe we should not put software in everything

          Just because something is Read Only doesn't mean you can't write to it. There are well-documented instances of power rail fluctuations on one system affecting adjacent systems in a way that can be predicted and harnessed.

          Casual observers can look at hardware/software and see nothing wrong with it. At the next layer down PCB designers will have a different perspective on that.

          Real-world example: You can look at a London Underground signalling circuit diagram and ascertain there is nothing on that circuit which could possibly show a green signal when a red one should be shown. However, when you consider various failure modes and the effect of spurious external stimulii you will begin to understand why there is a possibility that it might happen, and why signal engineers seem to go to paranoid lengths to ensure that never occurs. Going to the extent of such things as generating an alternating current frequency (125Hz) that is not harmonically related to the normal AC mains for example.

          Real-Time is difficult because of failure-modes and external stimulii.

          1. aeio_

            Re: Well, maybe we should not put software in everything

            Beware of bugs in the above code; I have only proved it correct, not tried it. -- Donald Knuth

            https://en.wikiquote.org/wiki/Donald_Knuth#Sourced

    5. Milton

      Re: Well, maybe we should not put software in everything

      Your car's software will absolutely, soon enough require some form of net access. For self-driving cars to work to their full and safe potential, they will unquestionably need to talk to and listen to other cars in the vicinity ("Hard braking 170 yards ahead, pedestrian incursion: preliminary slowing NOW"); to be advised of aggregated data from cars far distant ("Road to hell is very slow for 30 miles northbound: take THIS alternate route"); and oversight traffic management systems ("Do not enter Central London at this time, a bomb scare is in progress").

      Building an extremely secure hack-resistant system is of the highest importance. And yet another example of why strong crypto, i.e. without idiot government's "good-guys-only back doors", is absolutely critical. If your car's gonna take the alternate route to that important meeting, you need to be able to trust the information it's based on.

    6. Paul Renault

      Re: Well, maybe we should not put software in everything

      But, if the software put into a flower pot was for a SDR, then maybe we could confirm what was meant by "Oh no, not again".

    7. aeio_
      Big Brother

      Re: Well, maybe we should not put software in everything

      "Car's critical control systems don't need to have Internet access."

      Oh, but you're wrong. TERRORISTS/CRIMINALS can drive a car, so they need to be stopped. [1] Possession may be 90% of the law but if you don't pay your bill you're not going anywhere in it. [2] Car out of internet signal range? No problem. [3] And it's great for insurance companies. [4]

      No internet connected pacemaker? What are you, a anti-job Luddite? [5] Just THINK of the jobs you're denying: creating the device, securing the device, the ISP, WiFi support, and then RE-securing things after a remote break-in. Also: with a pacemaker embedded virus you give the "a computer virus isn't actually a virus, people can't get affected with it" line a whole new life.

      And then the retailer coup de grace: You're still got that old thing? It's last years model, nobody wants those anymore. You're lucky I'm still around to take it off your hands to take if off your hands for nothing IF you buy the new one. Just think what your friends will think when they see you with this new one!

      [1] http://abcnews.go.com/Business/Autos/story?id=3706113

      [2] http://www.cbsnews.com/news/why-the-repo-man-can-remotely-shut-off-your-car-engine/

      [3] https://www.policeone.com/police-products/Pursuit-Management-Technology/articles/6755618-Vehicle-mounted-device-disables-car-electronics-at-50-meters/

      [4] https://qz.com/230055/car-insurance-companies-want-to-track-your-every-move-and-youre-going-to-let-them/

      [5] http://www.digitaltrends.com/computing/pacemaker-data-arson-charges/

      OK so just data, no internet in this one. But just think how handy it would be to connect your pacemaker, FitBit, phone GPS, and diet monitor together. The system could see how hard you're exercising (and heart beating) and know where you are. In case of a a heart attack (no movement / steps / heartbeat) they could auto-call the nearest ambulance. If they find you running hard on the wrong side of the tracks they could call the police with your location. (And with smart clothes, even what you're wearing!) And as a great joke on a friend, just think about the internet connected bionic penis!

  2. Anonymous Coward
    Anonymous Coward

    Value!

    ...foundation's projects have created $14.5 billion worth of value, as measured in cost per line of code.

    So, in other words, the $14.5B is an imaginary number.

    1. b0llchit Silver badge
      Holmes

      Re: Value!

      Imaginary numbers are postfixed with an 'i' (or 'j' in electronics).

      The problem in economics is that the real and imaginary parts became exchanged when value started to be measured using an intermediate currency instead of the goods it covers.

    2. Tomato42
      Happy

      Re: Value!

      yes, it's an imaginary number, the $ before it indicates it

      https://en.wikipedia.org/wiki/Fiat_currency

    3. Oh Homer
      Alien

      Re: Value!

      Yes, the entire concept of "creating value" is a farce. In reality, it means spending a (ideally) small amount of your own money to take a (again, ideally) larger amount of somebody else's money. The total "value" in the system doesn't actually change, it just gets moved around, except in the sense that the stuff this "value" comprises is increasingly trivial junk (First World solutions to First World problems), and therefore it's probably more accurate to say that, overall, the practical value of everything is actually being diminished, not improved.

      1. bl591n

        Re: Value!

        If initially A manufactures cars and B manufactures computers, then C came up with the idea of jet engines and start manufacturing jets, then C will have created value.

    4. tr1ck5t3r
      FAIL

      Re: Value!

      Thats not a lot considering billy hedge-door is gonna be a trillionaire soon, and how much money have all those businesses running windows generated because of windows? Even the windows bugs are making money!

    5. Trey Pattillo

      Re: Value!

      So, in other words, the $14.5B is an alternative value.

  3. Anonymous Coward
    Anonymous Coward

    Traveling in the Donner Pass Has Improved

    > Donner Pass on Monday evening. The trip at least was less arduous than it was last year, he said.

    In olde times, it happened that people were stranded in the snow there for the winter, freezing to death, and needing to eat dead bodies to survive. So, I would call this a continuously better progression.

    1. Mephistro
      Devil

      Re: Traveling in the Donner Pass Has Improved

      "..,and needing to eat dead bodies to survive."

      So, no vegan survivors then?

      Good... good...

    2. Stumpy

      Re: Traveling in the Donner Pass Has Improved

      Surely in the Donner pass, they would have just eaten kebabs to survive?

      1. MrT

        Re: Traveling in the Donner Pass Has Improved

        Mr Plow fighting through the drifts to deliver extra-hot chili sauce.

      2. fidodogbreath

        Re: Traveling in the Donner Pass Has Improved

        Surely in the Donner pass, they would have just eaten kebabs to survive?

        Well, they ate Kay and Bob...same general idea, I suppose.

  4. Anonymous Coward
    Anonymous Coward

    Government of things

    So I guess we will soon see a 'Government of Things'

    They can kiss my ass anyway. I will continue to do whatever it is that I do regardless and when they come looking I will be sitting in a sleepy semi lawless Asian backwater as always.

  5. elDog

    Shouldn't we just use Microsoft? They're pretty secure

    I can't think of a single nuclear bomb that went off over a major city because a fault in Windows.

    Or Java.

    Yet.

    1. Anonymous Coward
      Anonymous Coward

      Re: Shouldn't we just use Microsoft? They're pretty secure

      A doctor friend of mine said to me many years ago, "Good thing they won't let you put 'General Protection Fault' down as a cause of death on the certificate."

    2. Not That Andrew
      Mushroom

      Re: Shouldn't we just use Microsoft? They're pretty secure

      If you read the EULA for Java you will see you are specifically prohibited from writing control software for nuclear reactors with it. I wonder why they felt necessary to specifically state that?

  6. elDog

    Motivation?

    ""Nothing motivates the US government like fear," he added, pointing to 9/11 and creation of the Department of Homeland Security."

    Sorry, Bruce. Nothing motivates the US government and the contractors and the lackeys and the mongers and the forces against transparency as fear. They live on it. They glory in it. They promote it. They profit on it.

    FEAR. Fear about those Russki's (well not now, with Trump being in Vlad's front pocket.). Fear about turbans and beards. Fear about free speech and questions at news conferences. Fear about rapists (well, isn't the president one?), fear about people south of the border.

    Used to be there was some positive emotions about how the US could actually be a melting pot. It could have whites/blacks/browns/atheists/non-atheists living on the same block. Used to be Woody Guthrie could sing something like, Come on people, Let's get together.

    Not in Trump's world.

    1. Oh Homer
      Childcatcher

      Re: "Not in Trump's world"

      In fairness, the "world" in question predates Trump's reign by several decades. Indeed I don't see much evidence that it has ever been any other way. The only difference is now the slaves sew mailbags instead of picking cotton.

    2. Updraft102

      Re: Motivation?

      Actually, that's more in Trump's world than the previous ones, but you'd never get that from the media. They have only one weapon, and that's personal destruction... and they're using it liberally.

      Draining the swamp necessarily enrages every resident of the swamp, and the media that give you the "news" definitely fit into that category. The screams of horror and fear and outrage you hear from the media aren't the truth! They are the distress calls from swamp creatures that fear that he may actually do what he set out to do.

      This was never going to be neat and clean... the corruption that formed the swamp has built up over decades, and it's not going to go down without a fight. Hillary Clinton is probably the swampiest swamp creature to run for office in decades (and that includes the times Richard Nixon ran), and all of the Republican candidates other than Trump were from the same neighborhood. Bernie wasn't, but his rapid re-education, sellout, and subsequent show of support for Hillary and the very same Democratic party that fixed the primaries to ensure he would lose indicates how quickly he would have gotten there if he'd won. That, and he's a little nutty and out of touch with reality if he actually believes the inane, childlike statements he makes.

      It's been swamp creature after swamp creature that have gotten us to where we are; do you really think electing someone who epitomizes everything that is wrong with politics was going to make things better?

      Trump has made a number of clumsy mistakes and misstatements as an inexperienced non-politician, but no non-pol without a massive ego and a bombastic personality to match was ever going to walk in, tell the electorate that he can do better than an actual pol, and WIN. Yes, he can be a boor. He's petty. He's willing to wallow in the mud by counterattacking those who attack him first, which is unseemly and unpresidential. The thing is, though, that he did not win despite those things; he won because of them.

      People are sick to death of the status quo, where professional politician after professional politician promises the world, then gets into office and does pretty much what the last guy did. They've begun to realize it's all a shell game, and they've all been had. Repeatedly. The purpose of the two-party system seems to be to give the appearance of a healthy public debate of ideas, and of people having a real choice between contrasting candidates, but the reality is that our choices boil down to one or the other candidate from the official party, the establishment party, of which the Democrats and most Republicans as well are simply puppets.

      Lots of candidates say they're different. Hell, most of them do. They're not, though. Outsider candidates like Bernie and Trump are supposed to be weeded out by a system wholly owned for, and for the benefit of, the establishment. It worked as designed when it dispatched Bernie, but when it fired its cannons at Trump, he didn't do what Republican candidates are supposed to do (duck and cover and go on the defensive).

      Trump was too egotistical and petty to do that; he instead hit back with his New York street-brawler style, and the truth of another old adage was made apparent: When you go on the defensive, you LOSE. That's why the establishment machine is all about the first strike; it's about putting the enemy on the defensive. The funny thing about human nature is that if you hear a person say, "I'm not a stamp collector," you'll then associate that person with stamp collecting, and even though the association was one of denial, in your head they're associated. You don't win by denying something over and over! You only reinforce the claim of the accusation you're trying to refute.

      That's where Trump's lack of polish, decorum, and political experience worked for him. When he was hit with massive salvos of attacks from the media (a division of the Hillary Clinton for President company), his ego would not let him apologize and genuflect like Republicans generally do. He went on the offensive and hit them back-- and in doing so, he countered the accusations people made about him with counter-accusations about his accusers. He didn't reinforce the accusations about himself by denying them; he balanced the scale by making it a he-said, she-said situation.

      No one but someone as petty and egotistical as Trump was going to beat the personal destruction machine of the establishment. That's why he won. Anyone who was more genteel or sophisticated would have been destroyed by half of what the establishment threw at Trump. And it's not over just because Trump won and was inaugurated! The anti-Trump campaign continues, and will continue for every moment he's in office. It's nothing but one lie after another, but what else is new?

      The establishment media is an arm of the Democratic party, and they're not going to start being fair now. They've watched, astonished, as Trump not only survived their withering attacks, but thrived in them. Their response is to launch even more of the same, in the hopes that somehow doing the same thing is going to have a different effect this time. A more traditional president might begin to give in to the attackers and dial back his rhetoric, but Trump wasn't brawling with his critics because that was his considered campaign strategy. He was doing it because that's who he is-- and still is. And just as it propelled him to 1600 Pennsylvania Avenue, their continued litany of dishonest attacks on him will continue to backfire on the media (which polls at historical lows of trustworthiness) and render their continued attacks more and more irrelevant, as more and more people realize that the western media are no better than Pravda during the Soviet era.

      Flawed as he may be, Trump's the only shot we have at ending the government as usual that got us to where we are. And by "we," I mean the world, not just Americans. No one that wasn't petty and egotistical was ever going to make it past the establishment sentries. It was either this or more of the same kind of politician we've had for decades.

      1. tom dial Silver badge

        Re: Motivation?

        This is a bit unfair to the Democrats. A considerable part of the Republican party is as much "establishment" as any Democrat. Despite their private horror of Donald Trump they have gone along so far because the power to organize the Senate and House of Representatives is a good thing from their viewpoint, and even better with a nominal Republican as president.

        Still worth an upvote, though.

      2. Pascal Monett Silver badge
        Trollface

        @ Updraft102

        You are eminently right, obviously.

        I suppose you also use a flamethrower to redecorate your living room ?

    3. Kiwi
      Paris Hilton

      Re: Motivation?

      (well not now, with Trump being in Vlad's front pocket.)

      You BASTARD! As soon as I read that this horrible "auditory mental image" came to mind.

      [Apols to the Def ones]

      "Skin on skin, let the love begin.. Putin"

      Hey, something that evil has to be shared.. (Is that why the yanks are quickly booking so many overseas visits for chump?)

  7. Lord_Beavis
    Pirate

    The choice

    "The choice is between smart and stupid government involvement..."

    Well, anytime the government is involved we know which way that goes.

    1. Anonymous Coward
      Anonymous Coward

      @Lord_Beavis - Re: The choice

      You're convenient forgetting the revolving door between the US government and a few large corporations where a fair number of brilliant corporate players become suddenly dumb in government positions after which they become brilliant again.

    2. bazza Silver badge

      Re: The choice

      "The choice is between smart and stupid government involvement..."

      Well, anytime the government is involved we know which way that goes.

      That's not completely fair. The State of California has been very good in its involvement with self driving car experimenters like Google. They've been allowed to drive their cars on the roads, but the State gets the performance data and, crucially, publishes it.

      The State's message is clear; they're not going to let Google or anyone else foist half finished unproven and potentially dangerous self driving cars onto the general public. And that's is exactly how it should be.

      The problem I think is that regulation of things like IoT devices is that effective regulations would amount to a ban. An effective regulation would be something like "it must be hack proof".

      But we just don't have the infrastructure or technology to make small embedded Internet connected devices that get updated, implement best security practices, etc. We can't even make a PC or Mac style computer that, when put into a home, won't become littered with malware within moment of someone browsing some dodgy website. What hope is there for some IoT device that's got to cost less than $50?

      Elections

      Any sane politicians know that when something predictable and bad goes wrong, they get it in the neck for not having intervened beforehand. And because they're elected, generally they lose their jobs as a result. So they regulate, and transgressers pay a fine or go to jail. It's a healthy set up. So if Internet connected air-conditioning systems start being seen as a threat to the electricity grid, they'll likely act before some script kiddie comes along and trashes the grid by getting every air conditioner to switch off at the same moment.

      What makes the current situation appalling is that "dangerous" things now includes automated trend-sensitive "news" selection algorithms on Facebook, Google, etc. These permitted fake news to play a significant role in the US election. The dangerous part is that the current crop of elected politicians owe their employment to the result of that election. So they don't see a problem with the situation, and aren't necessarily strongly motivated to do anything about it. Especially as it would mean imposing editorial controls on social media, the operators of which are amongst the most active lobbyists.

      That's a huge threat to democracy in general, and makes it more likely that one ends up with a week government that is more favoured by someone like Putin.

      National Firewall

      One aspect I'm not sure Bruce Schneier covered is just what a government can do about dodgy software, IoT devices, etc.

      Suppose some software or IoT device was identified as being a major problem, and had to be stopped, disabled, etc. How effective would a product recall be? Not very - people are very lazy when a device's bad behavior doesn't actually impact themselves. Suppose that some foreign-hosted Web service was spouting fake news and wasn't conforming to appropriate editorial rules during an election?

      What would be required is something like a government off switch, or the ability for the misbehaving device's or website's network traffic to be blocked.

      The latter sounds like it would need something not unlike the Great Firewall of China. I think that that's what we're going to see being discussed in the coming years. It's going to be a heated debate.

      But we may have to accept that if we want government to actually be able to intervene quickly and effectively when some Internet thing or some foreign website is misbehaving, it's going to need something with teeth, not just the power to issue a recall notice or a cease-and-desist letter (which won't work abroad anyway).

      1. Someonehasusedthathandle

        Re: The choice

        "Any sane politicians know that when something predictable and bad goes wrong, they get it in the neck for not having intervened beforehand. And because they're elected, generally they lose their jobs as a result."

        Sane politician....

        Lose their job....

        What fantasy world are you living in...

      2. Doctor Syntax Silver badge

        Re: The choice

        "Suppose some software or IoT device was identified as being a major problem, and had to be stopped, disabled, etc. How effective would a product recall be?"

        Did you read the article about the botnet on a University campus? If so you'll recall that they scanned for these devices (and fixed them by updating the passwords). So it can be done. Probably the most efficient way would be to impose the requirement on ISPs to scan their own estate, at least for devices visible through firewalls; they're not going to do it voluntarily but then they wouldn't be given the option.

    3. SVV

      Re: The choice

      "The choice is between smart and stupid government involvement..."

      I think you'll find the voters made that choice last November. Try watching the news any day of the week to see which one they chose.

  8. Herby

    Colossus, the Forbin project...

    Enough said...

    My opinion: The movie was terrible, they destroyed lots of perfectly good 1620 front panels!

  9. Notas Badoff

    Compare and contrast

    Phil Gramm: Bankers are smart people. They know what they are doing.*

    Bruce Schneier: We're going to have to have regulations because this is important.

    One argued we didn't need to regulate because we should just trust the smart people. Then 2008. And we still don't regulate those actors.

    The latter says the implications of trust without verification are unthinkable. Because of the dangers to society, etc.

    Oh, I don't know. Let's roll the dice. What could go wrong?

    * BTW: I can't find the original quote easily anymore. In this era of fake news it is very disturbing that real life can disappear.

    1. Updraft102

      Re: Compare and contrast

      It was regulation that made what the bankers did the most rational choice. They were behaving rationally, given the conditions set forth by the US government. If the Community Reinvestment act, Freddie Mac, and Fannie Mae never existed, neither would the 2008 crash have existed. These things are caused by too much government, not too little.

      1. matchbx
        Holmes

        Re: Compare and contrast

        "It was regulation that made what the bankers did the most rational choice. They were behaving rationally, given the conditions set forth by the US government. If the Community Reinvestment act, Freddie Mac, and Fannie Mae never existed, neither would the 2008 crash have existed. These things are caused by too much government, not too little."

        I'm still astounded that people don't understand this. I guess all the down votes are from people who think this is an opinion....

        Guess they'll down vote me too for agreeing with you.

      2. strum

        Re: Compare and contrast

        >It was regulation that made what the bankers did the most rational choice

        Utter twaddle. Regulation didn't force mortgagers to write duff mortgages. Greed did (abetted by a system designed to protect mortgagers from their errors).

        1. matchbx

          Re: Compare and contrast

          "Regulation didn't force mortgagers to write duff mortgages. Greed did"....

          But here's the rub... the Community Reinvestment Act that was passed by Jimmy Carter in 79 and given enforcement teeth by Bill Clinton prevented the mortgagers from questioning income information that was entered on applications....

          the Community Reinvestment Act was specifically created to FORCE the mortgagers into loaning money to low income people....

          1. Nick Ryan Silver badge

            Re: Compare and contrast

            the Community Reinvestment Act was specifically created to FORCE the mortgagers into loaning money to low income people....

            Perhaps, but it didn't force them to repackage these loans in to blocks, lie about the risk inherent in them and the go through a cascading game of pass-the-promisory-loan as if it had value until the stack was finally called in (in which case many lenders found that they were backing their own loans with their own loans).

            1. matchbx

              Re: Compare and contrast

              Perhaps, but it didn't force them to repackage these loans in to blocks, lie about the risk inherent in them and the go through a cascading game of pass-the-promisory-loan as if it had value until the stack was finally called in (in which case many lenders found that they were backing their own loans with their own loans).......

              I agree with you for the most part... They did it to minimize the risk (not saying it's right, but I do understand why).

              This was a very complex issue with a lot of moving parts... The original comment that started this had 8 thumbs down with no comments on why. To truly understand what happened you have to go back and look at what happened on almost a day to day basis...

              The thing to keep in mind IMHO is that this whole ball started rolling with Government Regulations.

              1. AdamWill

                Re: Compare and contrast

                Well, no, it didn't. The whole ball started rolling back in the days when there were virtually no government regulations, and so you had a whole bunch of tiny banks which went broke with depressing regularity and were loath to do business with each other.

                https://www.gilderlehrman.org/history-by-era/economics/essays/us-banking-system-origin-development-and-regulation

                "Banking crises occurred in 1837, 1839–1842, and 1857, years when many banks had to suspend convertibility of their bank notes and deposits into coin because their coin reserves were insufficient."

                "Banking panics occurred in 1873, 1884, 1893, and 1907. The last was especially embarrassing because by 1907 the US economy was the largest in the world, as was the US banking system."

            2. tom dial Silver badge

              Re: Compare and contrast

              Loan repackaging had been going on since the 1960s, when I made a small investment in a real estate investment trust. My 1983 mortgage was sold off to a repackager, although the local S&L that originated it continued to service it.

              The 2008 crash was a classic bubble of the type Charles MacKay described more than 175 years ago. It plainly was aggravated by the unintended consequences of laws and regulations intended to increase home ownership and ensure that it did not exclude racial and ethnic minority members, as well as enthusiastic participation by large numbers of dishonest borrowers, lenders, and resellers.

              Still, it is extremely doubtful that it would have happened without the strong encouragement of the federal government, which allowed risk to be passed on, as happens in all financial bubbles and is building up to happen even now for the college education bubble.

            3. Jaybus

              Re: Compare and contrast

              "but it didn't force them to repackage these loans in to blocks"

              No. It didn't force them to, but it allowed them to. Bankers were unwilling to make the low income loans, so the 1999 Financial Services Modernization Act was enacted during the Clinton administration to repeal parts of the 1933 Glass-Steagall Act and allow the banks to trade sub-prime loan backed securities. It was an incentive to get the banks on board with knowingly making loans to people who could not afford them.

      3. Anonymous Coward
        Anonymous Coward

        Re: Compare and contrast

        Updraft102, please stop repeating that nonsense about the Crash of 2008. The biggest subprime lenders were exempt from the Community Reinvestment Act, and Fannie Mae and Freddie Mac were for-profit privatized companies with publicly traded stock and private-sector managers, not government agencies. If you insist on blaming the CRA, then you must explain why it only caused trouble from 2001 to 2008 even though it's been law since 1975 and remains in effect today.

        1. matchbx

          Re: Compare and contrast

          If you insist on blaming the CRA, then you must explain why it only caused trouble from 2001 to 2008 even though it's been law since 1975 and remains in effect today.

          easy.... when the act was passed in 75 by President Carter it had NO enforcement teeth. I.E. if the banks ignored the law (which they did) there were no penalties, no fines..... nothing happened to them.

          President Clinton passed laws when he was in office that gave the CRA Enforcement Teeth... I.E. Fines and Penalties.....

    2. Swarthy
      Big Brother

      Re: Compare and contrast

      I can't find the original quote easily anymore. In this era of fake news it is very disturbing that real life can disappear.

      Don't worry, your chocolate ration has been increased to 90g per day.

  10. Anonymous Coward
    Childcatcher

    World -> Pot

    Times they are a changing, as someone was often miss-quoted.

    The world is still imperfect and nowadays we can pontificate about that in the timezone of someone else's choice to anyone who is "linked in" to the same bubble and can be arsed to hit refresh.

    In yesteryear it was Satan and witches, now we have Oracle (MS, Google, Apple int al) and IoT botnets. That's in the IT world. In the *ahem* real world we have ISIS and errr our own governments or something ... depending on your chosen/imposed religion.

    I'm a forty something bloke off of the UK and have seen a few things in my time. Nowadays is frankly odd and a bit disquieting. I'm sure I'll get over our civic liberties being drained away whilst I write twaddle on some forum or other. I feel so empowered being able to get a few UVs or DVs. At least I'm not a "like" whore.

    *sigh*

    1. bazza Silver badge

      Re: World -> Pot

      Like

  11. tom dial Silver badge

    But wait

    "Schneier ... plans to call for the creation of a new US government agency to sort through the issues arising from putting software in everything." This, presumably, will require laws, since government agencies do not "sort through the issues," but apply the laws enacted by the legislature and approved by the executive. Sorting through the issues, and reconciling the many competing interests, is the job of legislators who do not always do it well and often are somewhat clueless in technical matters. The recent history of the Cybersecurity Information Sharing Act is instructive.

    In the end, however, even if good legislation can be passed, it will not ensure that network connected devices that combine hardware and software will be secure, and the law will not apply to either US criminals (except as punishment if caught) or foreigners sheltered by uncooperative governments (at all). It also will not protect against clueless users who click on dodgy email or web links.

    1. Doctor Syntax Silver badge

      Re: But wait

      "the law will not apply to either US criminals (except as punishment if caught)"

      That's the case across all laws and criminals. Not having a relevant law simply means no punishment and no criminals, it just means no bar on people carrying out actions which would be a crime were there a law to define one.

      1. tom dial Silver badge

        Re: But wait

        The implicit point was that it is unclear whether having such a law will have much beneficial effect in limiting damage from shoddy software. In an environment where ensuring security of large software/hardware systems is all but impossible, legislating against insecure software is likely to be a waste of time.

        A huge number of IoT and similar devices with embedded computers run a general purpose operating system, and the SoC in many of them has roughly the complexity and capability of a late IBM S/370 system. They certainly qualify as "large software/hardware systems." Furthermore, a great many of these systems allow or even require end user configuration. That will generate vulnerabilities in addition to any that came in the box and confuse issues of responsibility for what, inevitably, will go wrong.

    2. Anonymous Coward
      Anonymous Coward

      Re: But wait

      "Sorting through the issues, and reconciling the many competing interests, is the job of legislators"

      In theory, yes, that's Congress's job, but they rarely do it. Instead, they write the law to indicate that a regulator will handle all the problems of actually deciding what should be done, thus abdicating their authority to the administrative branch. Then the Congress critters can claim that they've fixed the problem at the same time they complain that the regulator didn't do what Congress told them to.

      1. tom dial Silver badge

        Re: But wait

        Congress often does a shoddy job, but they are there for what I said, and a good deal of executive mischief comes from their failure to sufficiently narrow executive branch freedom to act.

        Moreover, through the well documented mechanism of regulatory capture, agencies designated in the laws tend to become most attentive and responsive to vociferous policy advocates These often the very entities that the agency is to regulate. The agencies also tend to recruit from and retire to employment by regulated entities; consider both Tom Wheeler and Ajit Pai, for example.

  12. martinusher Silver badge

    HIPAA -- a warning

    HIPAA is what happens when government tries to mandate how computer systems should operate. Its well meaning but it's effect is to holds back development and deployment of novel systems. You don't want that to happen to any nascent technology.

  13. chivo243 Silver badge
    Headmaster

    but, but

    Fear = Opportunity!

    Great, now our code will be overseen by people that can't code?

    1. bazza Silver badge

      Re: but, but

      Great, now our code will be overseen by people that can't code?

      One of the problems is that our code is written by people/teams who can't or won't code properly either.

      If a team set out to do something "properly" they'd be expensive and slow, and they'd never sell anything.

      1. kmac499

        Re: but, but

        I've spent the last couple of decades wrting software for a living, just business stuff, but there was nothing stopping me working on the software for medical devices, aviation or (god forbid) banking. Each area could affect real peoples live badly if I screwed up. I have no formal qualifications

        My brother retrained as as an electrician, he has taken exams has certificates and needs to update those qualifications when new regulations come out. He cannot legally undertake some work without those qualifications and work must be done to a standard which may be examined by others.

        There are similar rules for Plumbers and Gas fitters.

        Maybe we do need some form of industry certification (not MCP or Cisico Certs)

        1. Anonymous Coward
          FAIL

          Re: but, but

          If you had written software for Medical Devices (SaaMD) or indeed Aviation, you'd know that it isn't just a case of knocking out a few lines of code and hey-presto!

          While there is nothing stopping you from writing code for SaaMD, there are a huge number of regulations and hoops to be jumped through to get your product CE marked and to market.

          1. Anonymous Coward
            Anonymous Coward

            Re: but, but

            Exactly: certification.

            To return to the poster's comparison with electricians: you can do your own electrical work, but in a lot of cases you have to get it inspected by an qualified electrician.

  14. Bogle
    Joke

    Civil War

    It's "Civil War" with Bruce Schneier as Tony Stark / Iron Man. Where's our Captain America!

  15. Destroy All Monsters Silver badge
    Big Brother

    We are doomed.

    This is the industry that gave us genius ideas like "software patents" and recently, to the acclaim of internally damaged journalists, "API copyrights".

    Getting something right?

    Yeah, right!

    OTOH, as no-one can be arsed to get software "right" in any case, disaster will continue to strike, hacks will continue to proliferate, and backdoors will stay in code bases . We are heading for the one of those Hieronymus Bosch hell situations.

  16. Stevie

    Bah!

    Oh yes, time to get serious.

    And yet, all your everything are still belong to lightbulb.

  17. Anonymous Coward
    Thumb Up

    Get 'em

    It's about time the government cracked down on dodgy tech companies. If that makes the tech industry impossibly unpleasant to work in, tough shit. Get a real job.

    It's no skin off my back. As an independent contractor I *already* avoid work that could expose me to financial liability for safety & security faults, which are inevitable and largely beyond my control. That also happens to be the most tedious programming work there is. I'd rather dig ditches.

    You know where this is going....... When safety/security critical computer systems are fully held to account, we'll find there's basically no place for them. Other safety-critical industries have a chain of responsibility, with licensed Professional Engineers taking personal responsibility for design approval and construction supervision, and insurance for rare failures. But "Software Engineering" is an oxymoron. It's too complex and unpredictable to design against failure. It fails constantly and we fix it after the fact. Unacceptable.

    1. This post has been deleted by its author

  18. EnviableOne

    One World One Tinternet

    Just thinking is the Nation state not as extinct as the network boundary?

    in the world of t internet, where Russian hackers influence US elections an Ukrainian hackers ransom UK PCs with impunity, is a border not just a quaint Idea?

    What we need is a global consensus and controls that effect the entire system, not just parts of it, as the way its all designed, the regulated parts will lose out and the others rise.

    We need a Geneva Convention of Cyberspace or a UN High Commission for Cyber Security

    1. tom dial Silver badge

      Re: One World One Tinternet

      "Is the Nation state not extinct as the network boundary?"

      China think not.

  19. mistersilver134

    Anyone remember Neal Stephenson's Snow Crash? The entire premise was that the gov had decided that independent coders were dangerous and was determined to control them even if it meant killing the majority. Pretty prescient hey?

  20. jake Silver badge

    Obxkcd

    https://xkcd.com/1039/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like