Government regulation will clip coders' wings, says Bruce Schneier Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier. “Governments are going to get involved regardless because the risks are too great. When people start dying and …
We are witnessing the origin story of the Butlerian Jihad. In real time.
As for me, I am already dead against IoT and I will ensure that neither my fridge nor my toaster nor anything but my PC will ever, ever be connected.
Not without a T-1000 acting as firewall. Emphasis on fire.
The inductors needed to attenuate powerline networking are really huge, and so very expensive.
Back before there was an EU standard written, we did some testing and it turned out that the only affordable way to block powerline is the local substation or pole-top transformer.
Which actually doesn't work anyway because the radiated emissions are such that it's basically wifi.
"The inductors needed to attenuate powerline networking are really huge, and so very expensive."
Really? I fitted a simple mains filter from RS as part of my PC's mains conditioner. When plugged in after it, the powerline networking totally fails. No other unit sees a signal. When the powerline adaptor is plugged in upstream of the filter, it works fine.
The choice is between smart (well-informed) or stupid government regulations
Evidently he's not got much experience of the British government, where our choices are going to be between really stupid and bloody stupid government regulation. Our political decision makers are intellectual lightweights who know so little about IT, science, technology, or even business that failure is baked in to everything they touch.
Evidently he's not got much experience of the British government
I think he's well aware of it, not least because he used to be employed by the BBC. (And the British gov is not the only stupid one in the world.)
But you don't go on stage at a major security conference and call out the government for what they are. It closes all doors for any sort of communication in the future. So you keep your reasoning along the lines of "haven't lost all hope just yet". Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?
Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?
Well, a nice government sinecure keeps the wolf from the door. Take the money, don't do anything, don't rock the boat. If your standards are low enough, working for the government is a dream job.
But on the other hand, when you look at any of the really intelligent guys who become government advisors, the fuckwits of the establishment ignore their advice, and just keep doing what they wanted to do in the first place (eg, Prof. David Nutt, the late, great Sir David MacKay, and more than a few others).
"My house will be reasonably smart, but as such not connected to the Internet."
Fifteen cents the 'chip', plus antenna. Who needs to warn You, miserable consumer?
Better get a good radio scanner.
God! WHERE are we going?
It could pass half a life silent, and when a passing Blue-tooth 'sucking' device Agent pass by....
Reasonably Smart is the way to go. Back in the olden days I went to a network industry conference called Interop. There I stood next to a very odd, but very real Clifford Stoll (https://en.wikipedia.org/wiki/Clifford_Stoll) and another famous network "celebrity" the original Internet Toaster (see https://en.wikipedia.org/wiki/Simon_Hackett). Anyway, I saw the toaster and thought; how fun! It was a laugh, no one expected there to be IP-ladden toasters with RJ-45 connectors next to the Dark/Light knob. But who knows? Now they are coming, and consumers will probably buy them, and make some toast with an app, and have a laugh. But do we really need all appliances working on my internets, then perhaps connecting to the real Internet? (Hi, again elreg. why is it Internet-of-Things, and not internet-of-Things? surely, you have time to hit the shift key for THAT?! :P) Does my TV need an Internet connection? Sure if I want it to view Hulu or other built-in apps, that would be fine, I guess, but I already have dedicated products for that, and with the state of crap firmware and the need to always update, perhaps I'm better off with a dumb TV and smarter, yet controllable smaller devices.
The IoT, or ioT for elreg, is a dream for hardware designers who want to make a thing "smart" at the expense of dumb consumers who think they need that level of control over their devices. However, I think the industry for this is going to come to a realization that most people don't need any of these "smart" products, we just want smarter products and some control over how they gather and send data. There will be a mad dash to get these devices to market before the consumers get wise to the inherent security issues with having a fridge talking to various vendor and affiliated networks for no good reason other than; "oh, you can do your shopping list right from the fridge itself, it scans your barcodes and tells you when you need more milk, and other stupid shit that you could jolly well do yourself, but perhaps are too lazy or stupid." "Lazy and stupid customers!? Where do we sign up for them!" -- Every IoT maker today
It's all coming soon to a supermarket or electronics store near you. Beware. I'll still purchase a new toaster, but it better be happy with firmware v1.0.0 and never EVER getting to see the light at the end of a VPN tunnel. YMMV.
Well personally I'd rather do things properly. Businesses decide who does what when and they're not particularly interested in fostering a culture where things take longer than the bare minimum to get done.
“We’ve allowed programmers to have this special place in society to code the world as they see fit,” Schneier said.
Bruce seems to be not enough advised about the State of Affairs at IT. Coders DOESN'T code the world as they see fit. At least as a profession. Bruce is looking at the wrong side of the Company, Corp.
On Bruce behalf. Coders ARE, and have been indolently, unprofessionally, unethically playing the card: Did what was ordered to do.
Sooner or later it will hit the fan big time. Cars will be hacked and forced into accidents, houses set on fire or otherwise damaged. Personally I don't want any IoT in my house, ever; but that assumes that IoT-free housewares will always be available. Most TVs on sale now are internet connected and the gullible public will likely slowly uptake more IoT products over time; they may not have much choice in the end, e.g. so called "smart meters" being forced onto everyone.
The hackers will range from bored kids having fun messing with your appliances from the comfort of their bedrooms to organised hacking by foreign governments and terrorists. Even "friendly" governments and our own might not pass up the opportunity to eavesdrop on the proletariat via whatever means IoT provides.
Programmers will continue to be under pressure to churn out code that "works" without necessarily having good security in place. I can't conceive of how secure coding could be legislated, checked or enforced by law.
Governments will eventually act, in their usual clueless manner, passing laws that miss the point and just make life difficult for everyone. I don't see any happy outcome from IoT. Even if good security is baked in, security holes are likely to turn up and require patching, which in turn opens up another can of worms allowing external access to the core of IoT devices.
IoT is just a slow motion train wreck, however you look at it.
I'll just add that IoT may not just be a metaphorical train wreck, if you end up with IoT embedded in railway signalling, automated crossings and track changing equipment, the outcome may be far more serious. When IoT is incorporated into critical infrastructure, the you are risking more than a "blue screen of death" or system crash.
Yep, one way or another, we're doomed. The irony is not lost on me - civilisation will not end with a bang (aka global nuclear war as envisioned in nearly all the SF from the mid 1940ies to the late 1980ies). It will end with our smart toasters burning down our houses (after ratting us out to the ever increasing surveillance state), with our smart fridges cleaning out our bank accounts by ordering a 100 year supply of groceries, with our smart lawnmowers mowing down our pets, with our self driving cars blocking the roads to hospitals and power stations, and so on. Future historians, if and when a new civilisation arises from the ashes of ours, will call our era 'the stupid times'.
In the 20 or so years I've been in the IT field, much of which has been doing systems integration work on really crappy software, I've often wondered why we don't have some sort of PE-style licensing arrangement. This would in my opinion get around "regulations" forcing people to code a certain way, by making individual practitioners responsible for the abominations they write. The second you try to regulate something like coding methodologies, it'll be obsolete overnight. Let's say you're able to replace the hodgepodge of educational backgrounds out there with a reasonable set of prerequisites. Make sure people actually understand what the stuff they're writing does when run on real-world systems.
I fall into the self-trained camp, but I would welcome the opportunity to make my education more formal. PEs require an engineering degree, experience and a licensing exam as a minimum barrier to entry. I'd say that beats coder bootcamp and stackoverflow reading any day of the week.
And, as much as malpractice lawsuits scare me, the idea of personal responsibility for bad work holds value for me. One thing about our field that drives me nuts is watching someone screw something up, entirely their fault, then get fired, then land another job a week later with a hefty raise. Mistakes shouldn't be able to be covered up by cleaning up your resume and applying somewhere else.
It would also require a shift in management policies. Programmers often work to a list of priorities and deadlines specified by their line manager. Whereas a surgeon who is professionally responsible will take as long as required when operating on his patient, would programmers be given the same freedom and flexibility? If managers prematurely say a project is "good enough" to release before the programmer is happy with the security what then? A programmer who refuses to sign off prematurely may find himself replaced with others who would. Who would be responsible in the event of an IoT disaster resulting in the loss of life? If a programmer is working as part of a team, you could end up having to sign off each line of code you wrote. Which line is responsible for an IoT disaster? It may be far from clear with many interrelated modules developed by many different programmers plus third party software components.
Also, with much of the focus nowadays being on outsourcing programming to the cheapest programming-factory in India and elsewhere, would there really be the required focus on sound security practices?
PEs also require that you are supervised by a PE.
So great if you are a mechanical engineer at Ford, trickier if you are at a startup.
Although it works great for us. It neatly divides each new graduate crop into those that eventually want a nice safe job in local government (where professional status is required for all managers) and so go and work for whatever large utility will tick all the PE boxes. And those that actually want to make something new and interesting.
... the idea of personal responsibility for bad work holds value for me ...
You're not talking about responsibility, you're talking about accountability.
Making individual developers accountable for failings in their software will ensure that people get punished for doing bad work, but it won't prevent bad work from being done -- just ensure that the same people don't do bad work twice!
To ensure that a piece of work will be good you need first to have the will to make it good, knowing that it would be cheaper to make it bad. You then need to foster a culture in which quality is a primary goal, one in which short-cuts are NOT taken, one in which testing is part of the development cycle. Everyone involved in a development project should understand what the product is meant to do, what it's for, how it will be used, how its components fit together, what might go wrong with it in operation, and what might be done TO it in operation. Assumptions must be challenged.
Yes, I think professional certification would be good for our industry if only because it would mean that the people doing the actual work would be able to demand some respect from the people they work for, and having management with the same qualifications would mean that our managers will actually understand what you're talking about when we go to them to discuss technical problems.
As assumption in mechanical engineering is that madmen with spanners won't clamber all over the machinery undoing the nuts and bolts, yet this -- or something analogous to it -- is exactly what happens in software. We need better defences in software.
The way to ensure that the defences are built is to make companies -- not individuals -- accountable for the failing of their products. Set down legal standards that must be adhered to, with which individual software and hardware products must comply. Something like a BSI kitemark, but as a legal requirement. It'd add a layer of -- unacceptable, to some -- beaurocracy, but it's the only way to keep the cheap shit off the streets.
Your new lightbulb connects to the internet? Well, then, it must employ some access control, it must use encrypted connections, it mustn't expose any unnecessary interfaces, it must pass a certain basic set of penetration tests. If it doesn't pass the tests you can't legally sell it. If building it to meet the standard makes it too expensive for the market then perhaps you should have thought of a more commercially viable product in the first place.
Security by design – applied to cars, planes, automobiles – which is characterised by testing and certification, is going to run into the agile model applied in software security of “muddling through putting it out there and fixing it on the fly”.
No. Even agile systems require testing and certification if they are going to be accepted by most rational customers. Security by design requires design. You see it's in the name. Not that difficult is it?
And if you can point at anything more than cursory 'design' in many automobile systems - from the hack able radio keys onwards, please share. Security has to be boiled into the mix at inception - well before you choose your methodology, and then be reflected in that methodology. You can be 'agile' and still maintain a secure system, it's just that it will turn out to be rather more expensive than management would desire.
No it's not because the investors are part of the problem. And the investors are the ones fronting you, who hold the actual ownership and who can make things very uncomfortable for you if they choose to sell. Most investors these days are short-term. They want everything yesterday or they'll find someone else to back.
Going back to your example, when someone has a hemorrhage like that, sometimes, you have to intervene even if they don't want to (assuming they're not of sound mind), but if the legal environment is such that attempting to do so could get charges put on you, you're kinda caught in a no-win situation.
That's the kind of environment we're in: the only way to avoid legal trouble is to stay a course that's can only lead to trouble. Damned if you do, damned if you don't.
really this is more about what people choose to buy. you can buy the cheap phone with many bugs, or pay more. You can pass by the Internet entertainment system in the car. There is a place for government regulation when your purchase impacts me. else buy what you want, malware and all.
IAs someone who's been controlling stuff over networks since about the time that networks were first invented I find the IOT intriguing.....but then I go and look it up to find out what it is. It seems to be a bunch of marketing types circling the fire, all waiting for someone else to come up with the killer app, plus a handful of things that you can turn on and off (that are functionally similar to the X25 stuff we could get from Radio Shack years ago if a little more expensive).
As anyone in real time will tell you its no place for 'agile' type development -- R/T methodologies tend to be conservative because bugs have consequences. Security wasn't much of an issue at first because systems were physically isolated but as connectivity grew we became a lot more security conscious. (...and it wasn't my idea to design SCADA systems on the Windows/XP platform, this is the sort of high level 'management decision' that gets handed down to you, a bit like the gathering clusterf**k we call IOT). So if you find your car hijacked then its because you're using rubbish designers, its not a technology issue, and the last thing you need are armies of bureaucrats telling you how to do your job, just more people to actually do the work.
This post has been deleted by its author
" if you find your car hijacked " the First question you should be asking is:
What Idiot thought connecting my Car to the Internet was a Good Idea in the first place?
GPS? Doesn't need an Internet connection.
Brakes? Why?
Steering? Why would you want someone in Russia steering your Car?
AC? What's wrong with an old fashioned Thermostat?
Software Updates? That's really something that should be done at the same time as an Oil Change and only by Trusted Professionals. Over the Internet, You Can't Trust it.
I suspect it's because they tried that and they keep seeming to get off, usually by way of pinning the blame onto the user (PEBCAK), plus they probably have deep enough pockets to "pay off" whoever they need to pay off to get off. How do you combat that when money talks and all else walks? And walking away may not be an option: captive markets and essential needs and so on...
The Lawyers get paid to convince the Judge that since the words "Computer" and "Internet" don't appear anywhere in the original Law that the Theft or Murder or any other crime isn't covered.
Never mind that, in many cases, just because a Computer was involved, doesn't mean that anyone who looks can't see that the Crime WAS Committed.
The very First thing a Lawyer is taught in Law School is "Swallowing Camels and Choking on gnats."
I expect that there is legislation in the EU and Germany about faking your exhaust emissions tests, but who at VW has actually been proved to have done the coding, and allowed it into the engine management system computers? That shows either an amazing lack of quality control on the software configuration and testing or management interference.
If anyone has proved anything about a named individual, please post a link.
Schneier loves beating on the IoT drum but I don't know if he has made it clear what the REAL problem is here. Insecurity has always existed, the fact is a lot of "real world" shite has been networked going back to the days of RS-232. So, networking a fridge or toaster hardly constitutes a paradigm shift.
The real problem that is emerging is that software is now far more dependent on byzantine algorithmic processing, with the expectation that more of this somehow leads to the emergence of more intelligent software. Which may be true, in the short term. Some of the most clever software I've seen is barely more than an amalgamation of awful hacks that just happen to work. Anything is possible.
The real problem that is bound to emerge from this is that when you have a house full of IoT hardware all with local intelligence, in addition to a centralized intelligence managing them, it's virtually impossible for anyone to really determine ahead of time what crazy tangents all this intelligent processing can fly off on when a link in the chain starts to parse dodgy input and include that into its decision-making.
Imagine the house as a machine and all the IoT knick-nacks as a cog. What if a cog has been feeding the machine a skewed variable for years? By the time the 'brain' component of these increasingly vast, distributed networks figures out that something is OFF in all this complexity, the situation "at the coalface" may have passed the point of discomfort for the victims of these cogs attempting to interact at various stages of obsolescense.
That is the real danger that lurks in IoT, and it may be unavoidable. My 2c, for your consideration.
It's the kind of sloppy design work that ends up getting shipping in the product because "we had to ship it on <date>." Then the "oh, we'll fix that with a firmware, or other, update" excuses. As an example, when I worked for a game maker, the code HAD to be ready, the content HAD to ship on day 1 with as few bugs as humanly possible, because when you burn a CD-ROM, that's it. You don't get to burn some with fixes and whatnot. You did the work, you test the shit out of it, you golden master it, then ship. On older console systems, you get the code and it never changes. That makes the producer work extra hard to build a error-free product, not "let's just rush it out the door and make some patches later." Nowadays, most everything is "ship that shit, we'll patch it later" and it shows. IoT must do better, or people like me will break it. A LOT.
I was chatting to a friend yesterday about IoT and Smart this and that, and he said "The IoT will be obsolete before it even exists."
When I asked him to explain what he meant, he said "Take Smart TV's, irrelevant already. Why does my telly need to be smart when everything I plug into it is already smart."
Valid point, when everything connects to the internet, what will the point be?
I don't understand.
IoT devices do not necessarily need to be "smart", they just need to have some kind of control function.
They certainly will not be "all the time connected". Maybe do some I/O when they have harvested enpugh energy to power on the radio interface. Indeed, it will liked be a security feature to NOT have the damned stuff online all the time.
I wouldn't expect a bank to send a box of cash to a branch by taxi because it is cheaper, or a hospital to send a bag of blood by the National Express coach network for similar reasons, so why do they appear to think connecting sites using badly secured public Internet links is acceptable.
Because unlike financial or medical, they're on a budget. Put it this way. Suppose you're trying to transport some blood but you're only given $100 to do it. That's the kind of constraints some people face. And there's no time to argue; you have a deadline; LIVES are on the line.
I was a programmer for Years and don't remember EVER being allowed to "Do as I pleased".
A lot of the stuff I worked on would have worked a Lot Better if I'd had just a tiny bit of input into the actual Design. Managers who know Nothing about Computers or how they work come up with some really Gawdawful ideas at times.
For Example: "You can't make the Key to that file Unique because That would be telling the Customer how to run his business."
"But, if it's Not Unique, we'll be forcing them to wade through 30 or 40 different files searching for the One they want. Besides, I'm going to bet that they already have a system of Unique IDs in their Paper filing system that we are replacing or they'd Never be able to Find Anything."
Sadly, that argument fell on deaf ears and, after the application went Live, the biggest complaint we Had from customers was:
"Why didn't the system Flag the Duplicates? If I'd known these files were already out there, I'd have been saved a bunch of work."
Because, guess what?, in an office where 5 or 6 people share the same job, sometimes they don't always realize that someone Else has already begun working on the same file.
Although there Was one time when I was ordered NOT to fix a coding problem that I'd identified because the guy trying to order me NOT for fix it was one of the people responsible. I decided that, since he wasn't actually my Boss, I'd fix it anyway and see how well it worked. Besides, it was only 12 lines of code. It cut processing time for that application by more at least 60%. After it was implemented, the guy who tried to order me Not to fix it went around to all the bosses and claimed Credit for the fix. The bosses, not knowing any better, gave him a really Nice Bonus for my work.
Yeah, being able to "Do as you want" is so rewarding.
99% of the time, you do it the way it was Designed or find some way to talk someone into Changing the design. And then, you have to TEST the daylights out of it until you expose All the idiotic things the Managers inserted into the design because, after all, they have MBAs and always know best...
"The trouble is we don’t yet have a good regulatory structure that might be applied to the IoT."
And there never will be.
The notion something as intrinsically clumsy as state regulation is the answer to such problems is not borne out by history. With state regulation you get the all the downside of the largest and most bureaucratic big companies with the added 'joy' of sovereign immunity, even more remote faceless indifference and about as much ability to quickly change direction as a train on rails. Regulations will be designed so that once (if) the IoT gets going, it locks in the position of existing players and keeps out "dangerous" innovators.
As I've said before on El Reg, European Standards such as EN 62061, 61508 etc. do attempt to formalize the requirements for safety critical software, but there has to be a realization within the software industry in general that what they code (whether that be IoT based remote control stuff or not) may have a real world hazardous effect, and therefore these standards have to be applied. I have worked in the industrial control industry for over 20 years and it really scares me that layers of abstraction between P.C side code (GUI, Vision processing etc.), and the lower level real time systems for controlling motion or I/O, keep the average coder completely ignorant of how a given system works. Yes, abstraction, libraries etc. etc. are vital, but the coder MUST understand at least in some detail, how a control stack works, when the end result of moving a slider GUI element could result in a toaster going into meltdown, be that toaster in the kitchen local to you, or on the other side of the world.
Ahem, when Mr Schneier 'left' BT, the notice sent round was one short paragraph noting the fact that he was no longer an employee. There was no paean of thanks for all the hard work he had put in and the effort, contribution and progress made due to his genius. None at all.
His reported speech at InfoSec does not say anything I haven't heard many times over the last few years, yet when BS says it, the world listens, for some reason.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
