Bruce Schneier: We Need To Save the Internet From the Internet of Things (vice.com) 164
Bruce Schneier, writing for Motherboard:What was new about the Krebs attack was both the massive scale and the particular devices the attackers recruited. Instead of using traditional computers for their botnet, they used CCTV cameras, digital video recorders, home routers, and other embedded computers attached to the internet as part of the Internet of Things. Much has been written about how the IoT is wildly insecure. In fact, the software used to attack Krebs was simple and amateurish. What this attack demonstrates is that the economics of the IoT mean that it will remain insecure unless government steps in to fix the problem. This is a market failure that can't get fixed on its own.
confirms the Matrix (Score:1, Funny)
Re: (Score:2)
Elon had already done so...
http://www.telegraph.co.uk/tec... [telegraph.co.uk]
Re: (Score:2)
Elon had already done so...
http://www.telegraph.co.uk/tec... [telegraph.co.uk]
That article includes the wonderfully tautologous statement that we may live in a computer simulation run by our descendants.
The only way this will get fixed (Score:5, Insightful)
Re:The only way this will get fixed (Score:5, Insightful)
"Security has no ROI" is a mantram I've heard uttered in a lot of places dealing with IoT. They don't care at all, because the EULA protects them from most stuff, the fact they can throw up their hands and say, "the blackhats can break into everything" gives them legitimacy with the press, and if push comes to shove, there are no real laws out there that have any teeth. Someone can have a root shell on a telnet port, and a company having that would not have to fret about stock prices. If people griped, they just tell users to buy the version 2 of the device that might move the open port from 23 to another ID, call it done.
What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security. However, I wouldn't be surprised if this gets perverted into no real remote security, but "security" from the owner being able to do things with the device.
Re: (Score:1, Troll)
What would be the ideal, would be something like UL listings, except instead of electrical safety, is for security.
Won't work. People used to value UL ratings because they were worried about electrical appliances catching on fire. People don't even care about UL ratings any more because this just doesn't happen, except with things that have lithium batteries.
The fact is, consumers just don't care about security. They don't know anything about it, they don't want to know, they just know the nebulous "hack
Re: (Score:1)
Is the iPhone UL-rated?
Re: (Score:3, Informative)
Re: (Score:3, Insightful)
According to AmiMoJo, it's a form of transportation that is literally a rapist.
Re:The only way this will get fixed (Score:5, Insightful)
is when the manufacturers of the devices get hit with DDoS attacks and it disrupts their business.
What motivation would vandals have to go after the manufacturers? You'd be begging them to interfere with you with no apparent up-side.
Re:The only way this will get fixed (Score:5, Insightful)
When they get SUED and pay out the nose is the only time they'll take it seriously
Re: (Score:1)
As long as they're allowed to disclaim liability for obvious problems with their products, there will be no movement on the issue.
It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.
Re:The only way this will get fixed (Score:5, Insightful)
It ought to be illegal to sign away your legal rights, especially in situations where you don't get anything out of the arrangement.
In many countries, it is, and the right to redress cannot be signed away by a contract. Apple discovered that when they started selling products in Europe and attempted to enforce US style boilerplate contracts.
So, yes, I can see the manufacturers being sued for damages, no matter what the sales terms say. It just isn't likely to happen in the US.
Re: (Score:2)
If the manufacturers are not based in europe, nor selling directly in europe then there's not much recourse under european law.
Most of these devices come from china.
Re:The only way this will get fixed (Score:5, Interesting)
Simply have a statutory damages for manufacturing an IoT device that has been used in an attack. The device you made was used in an attack. You have to pay the fine. Simple as that.
Now to make devices more secure there could be something like a process of getting an "Underwriter's Laboratories" type seal of approval. The seal doesn't mean an appliance won't burn your house down, just that it is very, very unlikely. Unlikely enough to suit the insurance underwriters. Which raises the subject of insurance -- for liability of getting fined for building an unsafe device.
It seems like this would work. Just like electrical devices are pretty safe -- even though manufacturers have a built in incentive to build them as cheaply and unsafely as possible.
Re: The only way this will get fixed (Score:5, Interesting)
So fine the people who own the devices. Start with a small fine, like $10, then double it for each repeat offense. Eventually, the word will get out, people will stop buying products from that vendor, and sales will suffer. They won't have any choice but to make their products secure.
Re: (Score:2)
If you product causes a fire, your company is to blame. It should be similarly for IoT devices used for hacking. If you make a device that is hacked and used to cause damage, your company is to blame just as much as if your device caused the building to burn down. What is so d
Re:The only way this will get fixed (Score:5, Insightful)
Wrong. The only way this gets fixed is if cloud command and control goes away. Internet of things is fine as long as each person gets to control their own security destiny and punch holes in their firewalls in ways that suits them. Configuration differences from one place to another make mass control almost impossible. Yes its much more likely individuals sites gets compromised, but much less likely that huge masses of them do all at once. Plus.... why the F*ck do I have to ask a corporation for permission to log in to something that is behind my own firewall. The CORPORATION is the biggest damn security threat we have.
Re: (Score:2)
I agree, i want devices that work in exactly the way you describe... I would put them on their own VLAN, access them via VPN and there would be relatively little risk even if the devices themselves are horrendously insecure.
Unfortunately the vast majority of potential customers are not up to that, most have no idea how to punch holes in their firewall or aren't even able to (carrier NAT for instance) so you have devices that connect out to a server somewhere that the end user has no control over. You end up
Re: The only way this will get fixed (Score:5, Insightful)
Re: The only way this will get fixed (Score:2)
Re: (Score:3)
Re:The only way this will get fixed (Score:4, Insightful)
This costs the manufactures big $$$ and removes the threat.
JUSTICE IS SERVED! (Score:2)
Perhaps the word you were looking for is 'Vigilante'?
Re: (Score:2)
Not everywhere, simply get someone in a jurisdiction where it's not illegal to deploy such tools and do the whole world a favor.
Re: (Score:2)
The only way this will get fixed is when internet providers get serious about IPv6 security and migration, since that's what the internet of things hinges on. Essentially, how to set things so that things like camcorders connected to the internet can't be remotely maneuvered except by network nodes authorized to do that. And before anyone says 'NAT', this is not an issue about NAT: it's an issue about not knowing how to set up IPv6 based VPNs, and have everything operate within that
Re: (Score:2)
"The only way this will get fixed is when internet providers get serious about IPv6 security and migration"
So, the problem is stated as being no motivation for the IoT producer to spend on securing their devices and then your proposed solution is for a third party to do something it is even less motivated to do?
Brilliant.
Re: (Score:1)
Re: (Score:2)
What you say is that some "good conscience" grey hats need to write robots that hack through those devices and brick them ? That could work. But then you need to protect yourself pretty well, cause the day one of those manufacturers get a hold of you you're going to get sued down to oblivion.
Re: The only way this will get fixed (Score:3, Interesting)
I know this goes against everything you believe but sometimes government has to step in because people and corporations with a vested interest can't always be trusted to do the right thing. That's why you have mandatory requirements for electrical goods and many others, from water to food. Do you think those laws should be repealed? There should be mandated security standards for internet devices, checked by independent researchers and paid for by the manufacturer.
Re: (Score:1)
Yes, that's always a danger with regular auditing because the auditors want the repeat business next year. Then the audit becomes routine, everyone complains about how pointless it is and it's treated as a box-ticking exercise. They're mostly right because how often does the shit hit the fan? How likely is it that an auditor will come across an Enron? They missed that of course.
Mostly though, the regulations, inspections and enforcement work. Thousands of Americans aren't electrocuted because of faulty
Re: The only way this will get fixed (Score:1)
The governments idea of security is the TSA. I'd hate to see what the internet equivalent would be.
Re: (Score:1, Troll)
smug collectivists yell "the government will save us!"
with the glowing "success" of anti-spam "laws" ignored
and unintended consequences safely unimagined
they can save the world, if we'd only let them
Re: (Score:1)
right... because the government had nothing to do with the creation of the Internet and has certainly never ran secure nodes with large numbers of devices attached to them...
Re: B...b...but government always BAD! (Score:2)
Re: (Score:1)
That's a pathetically weak argument there, certainly not strong enough to lord it over your opponent as a "shithead." Moreover, what the fuck is up with your prose?
Assertion: "The government can indeed help with certain problems, but not this one."
Support 1: They, whoever 'they' are, are unable to understand the problem. That's awfully vague and unsubstantiated.
Support 2: 'They lack the ability to create any useful solution." umm, that's just a rewording of your assertion.
Conclusion: "solutions will have t
Re:B...b...but government always BAD! (Score:5, Insightful)
Someone else suggested a UL-like certification for household IoT. I really like that solution. It's not hard for the average person to understand that this seal means a stranger can't watch you through your webcam, can't unlock your doors, etc. I think people would care, if it were as simple as looking for 1 logo, no geek needed.
Re: (Score:3, Informative)
And notably, the UL is a non-governmental organization.
The government to save us? (Score:5, Insightful)
Re: (Score:1)
The government is complicit not responsible. Chaos is good for them; it creates a demand for control that we refused them over and over again. They either gonna let it rot to replace it or fix it in their own mischievous way.
Re: (Score:1)
Well, the US, or the EU, or another country or bunch of countries with a sufficiently large population. It just takes a big enough segment of the market to demand better security, either through consumer or legislative action, that the loss of sales would outweigh the cost of better development.
Re: (Score:2)
It gets even better. He's declaring the free market as incapable to solve a situation that is well and truly in its infancy.
You know parents don't take kindly to people calling their toddlers retarded.
Re: (Score:3)
So the government will pass a law and all IoT will be secure... that would be the US gouv I assume? All companies in the world will be complying to the new law?
I would not count that for sure.
99% of all those IOT devices are made in China. If the U.S. created tougher regulations regarding security, it seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else. So the rest of the world would end up getting more secure devices also.
Re: (Score:2)
seems unlikely that Chinese manufacturers would make one set of devices for the U.S. and one for everyone else.
They do this with almost everything manufactured in China - including the version with the branding, and the (sometimes local-only) cheap version without logos. Chinese manufacturing companies are really good at manufacturing these days, and can do custom runs easily.
In the case of IoT, there'd certainly be a version with a backdoor for the Chinese government, so we can only hope there would be 2 versions.
Re: (Score:2)
The law under which they were requesting the takedown didn't apply, but their actions were still illegal in their home country under other existing laws there.
In most countries a DMCA request is meaningless and you have no obligation to comply with it, you are only required to comply with a court order issued by a local court. Especially when you are a hosting provider, as you're not responsible for the content in question anyway - your customer is.
For the things i host (none of which is hosted in the US),
The government can fix this? (Score:1)
Yes, brilliant, you fucking idiot.
Re: (Score:2)
Re: (Score:2)
At the very least... (Score:1)
All IOT products need to be labeled as such. Then I can avoid them...
Re: (Score:2)
Great. You avoid them. So do I. That's already half the problem done, now let's go and educate the millions of others who will buy those things.
The problem is not you or me. The problem is that "internet connectivity" is another checkbox in the little card that gives people information about the appliance they're looking at at Wal-Mart, Cosco and whatever other chains there are that can't give you any idea about the things they sell 'cause they themselves have no idea about them.
And this TV has 6 checkboxes
Re: (Score:2)
All IOT products need to be labeled as such. Then I can avoid them...
This isn't hard.
The device I'm about to purchase (check all that apply)
__ has existed for decades, but has a computer built into it now, and did not normally have one prior to the year 2000.
__ can control other simpler items in my house (i.e. lamps, garage doors, entry doors, climate control systems, security systems).
__ connects to my household LAN.
__ can be used from outside my own local area network through a smartphone app or a publicly accessible website that was not written by me.
__ was made by a comp
One solution (Score:2)
Re: (Score:3)
It would actually be pretty great if there were a site which would let you scan the ip address you were coming from (so you couldn't use it against others) with a full Metasploit style array of checks. It could be helpful to a lot of home users who have a basic NAT router going on, maybe with some port forwarding so they can get to various devices like DVRs.
Hopefully someone is going to chime in "You mean like..."
government interventions (Score:3)
or just turn of upnp on your firewall?
IoT to the cloud is a problem security wise. The bigger issue IoT devices should not be throw away stuff. That means designing them to function as part of a home for 20+ years, the smarts need to be a IoT controller not some cloud service that might still be around.
Re: (Score:2)
Duuuuuh, upnp... is that the new detergent?
Please realize what dimwits buy those crappy pieces of junk hardware. You honestly expect them to even know what they're doing?
Re: (Score:2)
A lot of IoT design is broken. My thermostat's are all part of my home automation. They do not have an IP address nor should they. I have a HA controller that has an IP address. Right now every IoT piles of IoT vendors are trying to make one off we can sell you a service at a few bucks a month. Making devices they should last for decades. The model is broken HA/IoT needs standard controllers not some cloud thing. My old HA control is perfectly capable of also being a wifi ap and firewall and realy mos
Re: (Score:2)
or just turn of upnp on your firewall?
Break my internet connection because of a misbehaving insecure device that should instead simply be blacklisted? No thanks.
I have better things to do than manually manage port forwarding, and the collective world's shrug of shoulders when it comes to IP address space exhaustion has already broken end-to-end connectivity of the internet enough without disabling about the only part of home infrastructure that still prevents me from getting daily "son the internet isn't working again, can you drop by" calls.
Re: (Score:2)
Break what exactly? upnp is not assumed to work it's not some ancient protocol it was a hack to get home users to let devices do whatever they want.
But! (Score:2)
Re: (Score:2)
Markets solve all problems for themselves. Not anyone else.
Re: (Score:1)
So your corollary is that juntas solve all problems??
Feedback (Score:1)
If these devices are so trivially insecure and easy to get into, maybe the best way to deal with them currently is to use the same exploits used by blackhats to knock them offline.
Re: (Score:2)
And exactly that is illegal. Sure, a blackhat doesn't care, but a company that could (and, in this lawsuit-happy country, certainly WOULD) be sued does.
In that fucked up system someone who is not only stupid enough to buy such a crappy piece of junk but also stupid enough to not even WANT to know a thing about its function and dangers could actually sue someone trying to fix the problem AND get rewarded. Yes, this system rewards stupidity and punishes anyone trying to save it from the stupid. Wrap your mind
Re: (Score:1)
Yup. I wasn't suggesting that just anyone should do it, but - assuming that laws might be passed regarding the securing of IOT devices - there could probably also be dispensations made for removing bad devices from the internet.
Re: (Score:2)
Whoa, careful there! Who gets to define what a "bad device" is?
Re: (Score:1)
Infected devices shown to be participating in a botnet/attack?
Re: (Score:2)
No matter how you word it, you can bet your CPU that the ??AAs will try to make computers running torrent software "bad devices".
Re: (Score:1)
I should clarify that I've had something similar to this happen to me in the past.
(a long time ago) I had a server which was running a squid proxy. The proxy was fairly open but the firewall rules prevented it from being accessible outside of my LAN unless one SSH'ed in. During an upgrade I broke the firewall rules and accidentally had it open to the world, after which some jerk/jerks hijacked it for nefarious purposes.
Somebody traced it back to my IP, and my ISP verified it was an issue then killed my inte
Fuck you statists! The Market will solve this... (Score:2)
Technically we built it to be the IoT at first (Score:2)
Seriously, we built cameras that watched coffee pots, and coke machines, and watched the crystallography doors to see if people went to lunch so we could get console zero and run stuff.
It's just you n00bZ that think it's all you unwashed masses that we built it for.
That said, just because you can do something, doesn't mean you should.
My fridge should stop pinging the toaster, it's just rude.
This is unpossible! (Score:2)
The market is the only thing that could save us. Government is bad! BAD, I tell you! Trust the invisible hand to squash those problems! The market will sort it out!
IOiT (Score:2)
No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.
This is where gov helps (Score:2)
No, we need to save the Internet from the Internet Of insecure Things. Manufacturers of crap like this should be fined until they take security seriously.
I see comments flipping out already about "how can government fix things?". Well, thru stuff like fines. I've heard the FCC is investigating IoT type vendors. If the FCC can fine companies, or even ban them from selling products in the US until they meet a minimum standard, that will have a huge effect on these companies' behavior.
So far, they make cheap crappy things with crappy firmware, and users/customers aren't tech savvy enough to know how to pick a device with better security features. In fact, there
government would make it worse (Score:2)
It would be an expensive and slow process so start-ups and small scale companies can't compete with the big corporations.
Can't see how... (Score:3)
Re: (Score:2)
By making manufacturers liable for damage done by their insecure devices.
Insecure software is an externality [wikipedia.org]: the manufacturer creates the vulnerability, but the customer (or the whole public) bears the cost when it's exploited. Free-market competition is good at optimizing for minimum cost, but by default, externalities aren't included in the cost being optimized. That's why you get cheap, insecure devices.
If manufacturers are held liable for damage done by
Re: (Score:2)
It's one thing if you've made a conscientious and competent effort to build a secure product, and you provide security updates for a reasonable support period afterward. The point isn't to punish vendors for not being perfect; responsibility for an attack ultimately lies with the attacker, after all, and the vendor is a victim too.
Something like an open telnet port with a hard-coded password, though, is gross negligence. Heartbleed might not be the device vendor's fault, but not providing a firmware updat
Pass law that allows 3rd party to brick devices (Score:2, Insightful)
Just pass a law that allows anybody to brick or take offline any insecure IoT device found on the internet. Problem solved.
Script kiddies can then have fun bricking insecure devices found on the internet, and users will be force to care about the security of the IoT devices that they run. And if users care more, then device manufactures will respond.
Many 'IoT' devices are unnecessary anyway (Score:2)
not a market failure (Score:2)
That's not a "market failure", it's a government failure: the way liability is handled for software and security, companies get away with selling insecure crap without anybody being able to sue them for damages.
The government? (Score:1)
Are you kidding me? I work for a company that is betting it's future on IoT in the manufacturing and heavy equipment area. I promise you, it's the evil 'ole "market" that is causing us to focus a HUGE portion of our resources on security. How do you figure it isn't in every IoT makers best interest to deliver secure products? They may be failing right now but those that do i
but but but (Score:1)
the free market can fix all things, regulation is bad and hampers the self correcting free market.
Re: (Score:1)
Another content-free garbage comment.
How much bandwidth do these things need? (Score:2)
Re: (Score:2)
Open Source to the Rescue (Score:2)
I feel like in a way we need more open source firmware options. Sure most of these run Linux, but it's the configuration and front end custom software that's the problem. If there were a good standard open source distribution for different devices that was secure by default maybe this would be better.
IoT clusterfuck (Score:2)
On its surface, the IoT sounds like a neat idea.
Unfortunately, in implementation, it's a raging clusterfuck.
Basically, just because you can connect ANYTHING to a network doesn't mean you SHOULD.
Why support the unbacked claim on this? (Score:2)
The government proposes to add a backdoor to all encryption systems, and Schneier, an encryption expert, immediately goes to bat, contributing to and promoting large amounts of nuanced study on the matter to explain why such a proposal will fail. Then, on this networking issue, Schneier provides a completely unbacked claim that the Government is somehow going to magically fix something. I guess because Schneier is a "good guy" I should just assume that his completely unsubstantiated, critical-thinking-free
Straightfoward solution (Score:2)
As with other instances where the ROI for implementing good computer security is not there, with potentially disastrous societal consequences...
Make manufacturers liable for damages if their devices are compromised for malicious purposes (DDOS, PII extraction, etc.). Make anyone collecting PII or selling a network-connected device have insurance to cover liability for losses due to security. Bam, problem solved: the insurance market will create the implied ROI (vis-a-vis reduced insurance costs), and busine
Bruce Schneier: I'm old and scared (Score:2)
Re: (Score:1)
Bruce Schneier is a journalist/popular-writer. He wrote a precedent-breaking book on Cryptography. He didn't write it because he was a cryptographer, he wrote it because he dared to do so when a lot of other people were afraid to do so. Out of this, he established a punditry that allows him to pretend to be a 'smart cryptography expert.' Sometimes he's even billed as a 'security expert.' But really he's a popular writer who writes for nerds. Not an expert who could contribute a solution.
underlying insecurity (Score:1)
The internet will never be secure while it is based on insecure hardware and protocols.
Re: (Score:1)
Re: (Score:3)
Here's the issue
1) Good luck doing this. It currently is tricky as is.
2) Here's the REALLY fun one. You identify the entity with the device, they live in another country. You now lack any legal power to influence them whatsoever, unless you have the money to file an international complaint/lawsuit, assuming it is even possible.
2a) Assume you suit goes through, it gets promptly ignored. Random hacked Chinese/Russian/Australian/German is not going to care what some person in another country thinks.
Re: (Score:2)