Bruce Schneier: 'The internet era of fun and games is over'

[Batu69]

Speaking before members of Congress, the internet pioneer made clear the dangers of the internet of things.

 

Schneier on Security

 

Internet pioneer Bruce Schneier issued a dire proclamation in front of the House of Representatives’ Energy & Commerce Committee Wednesday: “It might be that the internet era of fun and games is over, because the internet is now dangerous.”

 

The meeting, which focused on the security vulnerabilities created by smart devices, came in the wake of the Oct. 21 cyberattack on Dyn that knocked Amazon, Netflix, Spotify, and other major web services offline.

 

Schneier’s opening statement provided one of the clearest distillations of the dangers posed by connected devices I’ve seen. It should be required viewing. He starts around the 1:10:30 mark in the livestream below, but we’ve also transcribed most of his remarks.

 

Here’s how he framed the Internet of Things, or what he later called the “world of dangerous things”:

As the chairman pointed out, there are now computers in everything. But I want to suggest another way of thinking about it in that everything is now a computer: This is not a phone. It’s a computer that makes phone calls. A refrigerator is a computer that keeps things cold. ATM machine is a computer with money inside. Your car is not a mechanical device with a computer. It’s a computer with four wheels and an engine… And this is the Internet of Things, and this is what caused the DDoS attack we’re talking about.

He then outlined four truths he’s learned from the world of computer security, which he said is “now everything security.”

1) ‘Attack is easier than defense’

Complexity is the worst enemy of security. Complex systems are hard to secure for an hours’ worth of reasons, and this is especially true for computers and the internet. The internet is the most complex machine man has ever built by a lot, and it’s hard to secure. Attackers have the advantage.

2) ‘There are new vulnerabilities in the interconnections’

The more we connect things to each other, the more vulnerabilities in one thing affect other things. We’re talking about vulnerabilities in digital video recorders and webcams that allowed hackers to take websites. … There was one story of a vulnerability in an Amazon account [that] allowed hackers to get to an Apple account, which allowed them to get to a Gmail account, which allowed them to get to a Twitter account. Target corporation, remember that attack? That was a vulnerability in their HVAC contractor that allowed the attackers to get into Target. And vulnerabilities like this are hard to fix. No one system might be at fault. There might be two secure systems that come together to create insecurity.

3) ‘The internet empowers attackers’

Attacks scale. The internet is a massive tool for making things more efficient. That’s also true for attacking. The internet allows attacks to scale to a degree that’s impossible otherwise. We’re talking about millions of devices harnessed to attack Dyn, and that code, which somebody smart wrote, has been made public. Now anybody can use it. It’s in a couple dozen botnets right now. Any of you can rent time on one dark web to attack somebody else. (I don’t recommend it, but it can be done.)

And this is more dangerous as our systems get more critical. The Dyn attack was benign. A couple of websites went down. The Internet of Things affects the world in a direct and physical manner: cars, appliances, thermostats, airplanes. There’s real risk to life and property.  There’s real catastrophic risk.

4) ‘The economics don’t trickle down’

Our computers are secure for a bunch of reasons. The engineers at Google, Apple, Microsoft spent a lot of time on this. But that doesn’t happen for these cheaper devices. … These devices are a lower price margin, they’re offshore, there’s no teams. And a lot of them cannot be patched. Those DVRs are going to be vulnerable until someone throws them away. And that takes a while. We get security [for phones] because I get a new one every 18 months. Your DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going to replace my thermostat approximately never. So the market really can’t fix this.

Schneier then laid out his argument for why the government should be a part of the solution, and the danger of prioritizing surveillance over security.  

It was OK when it was fun and games. But already there’s stuff on this device that monitors my medical condition, controls my thermostat, talks to my car: I just crossed four regulatory agencies, and it’s not even 11 o’clock. This is something that we’re going to need to do something new about. And like many new agencies in the 20th century, many new agencies were created: trains, cars, airplanes, radio, nuclear power. My guess is that [the internet] is going to be one of them. And that’s because this is different. This is all coming. Whether we like that the technology is coming, it’s coming faster than we think. I think government involvement is coming, and I’d like to get ahead of it. I’d like to start thinking about what this would look like.

We’re now at the point where we need to start making more ethical and political decisions about how these things work. When it didn’t matter—when it was Facebook, when it was Twitter, when it was email—it was OK to let programmers, to give them the special right to code the world as they saw fit. We were able to do that. But now that it’s the world of dangerous things—and it’s cars and planes and medical devices and everything else—maybe we can’t do that anymore.

That’s not necessarily what Schneier wants, but he recognizes its necessity.

“I don’t like this,” he concluded. “I like the world where the internet can do whatever it wants, whenever it wants, at all times. It’s fun. This is a fun device. But I’m not sure we can do that anymore.”

 

You can watch the full committee meeting here.

 

Article source

[VileTouch]

this is a very unfortunate argument. while windows (mostly) struggle with countless infections, systems based in freeBSD (and freeBSD itself, surprise!) have almost nothing to worry about.. btw, most "smart" household items run some flavor of linux or freebsd.

yes, most ATM machines still run on bare bones windows xp and most banks run java based systems. which, yes, is alarming!. but for the most part we're fine. the internet has always been a somewhat dangerous place depending on where you are. the only difference is that back then people didn't realize that. they thought everything they did was confined to the safety of their living room (or bdsm dungeon, if that's your cup of tea). a lot of people still do. but doesn't mean it's any different than, say 10 years ago.

 

yes, now we have 100x more computers and everything is connected to everything else. but saying that "the internet empowers attackers" is like saying air empowers diseases, or outdoors empowers criminals....ridiculous, i know!, but we're not going to take away the air or lock everyone up in a cell to keep them safe. we just happen to realize that you keep your private stuff for yourself and you shouldn't do stupid things in places you shouldn't.

 

and that's all there is to it. you apply the same common sense you....ok, SOME people use IRL and the internet just becomes another "outside". maybe because it is!.