
Bruce Schneier: 'The Internet Era of Fun and Games Is Over' - mpweiher
http://www.dailydot.com/layer8/bruce-schneier-internet-of-things/?tw=share
======
wwwigham
> When it didn’t matter—when it was Facebook, when it was Twitter, when it was
> email—it was OK to let programmers, to give them the special right to code
> the world as they saw fit. We were able to do that. But now that it’s the
> world of dangerous things—and it’s cars and planes and medical devices and
> everything else—maybe we can’t do that anymore.

Mark this mindset as the beginning of the end of the open, inclusive
programming world as we know it.

Schnier visited RIT (my alma mater) last spring, and his presentation revolved
around the threat presented by IoT and the growing need for national
legislation to encumber it. I asked him a pointed question about how this
scaled to the _international_ level, which he decided mostly not to answer
(focus on domestic policy first, and such). Because the answer is simple: _it
doesn't_. Without global collaboration, this philosophy is the beginning of
national internet feifdoms - moreso than what exists today - and the beginning
of the end of the global collaboration we freely enjoy today. I value this
freedom a lot.

I respect Mr. Schneier for his poignant responses to popular security issues
and his ability to be a public face for computer security, but I strongly
disagree with where he's lobbying we take the future to. Maybe I just can't
accept the hard reality that "security isn't easy" and that government
regulation is the only way to force security on people.

~~~
skybrian
It's not like regulating devices is unprecedented. New devices already have to
be approved by the FCC before being sold in the U.S. Suppose that the FCC also
checked that Internet-capable devices are safe to be connected to the
Internet? This would have global impact because most companies want to sell
their devices in the U.S. (And even more so if other countries with big
markets cooperated with similar standards.)

Another possible model would be something like having Underwriters
Laboratories and other independent organizations check the devices.

This is never going to be perfect, but it doesn't need to be. The goal is to
make sure that devices people buy at the store are reasonably secure. In
previous eras, the goal of new regulation was to make sure that you can still
listen to the radio and watch TV, and that people don't often get electrocuted
by their appliances. By and large it seems to have worked.

For more:
[https://en.wikipedia.org/wiki/Nationally_Recognized_Testing_...](https://en.wikipedia.org/wiki/Nationally_Recognized_Testing_Laboratories)

~~~
imglorp
The FCC worked because the devices they regulate are mostly local in range,
but this stuff is global. Even if you do get some regulation in the First
World internet devices, there are still going to be millions of legacy
devices, millions more unregulated in the Third World, plus how many illegal
ones and even more with latent flaws. All of them are going to be targets in
the next DDOS botnet wakeup. So what do you do there, put up national
firewalls? How?

There's around 9,000 CVE's this year so far. Should devices be checked against
all of them? How about next week, does the vendor have to go back and check
your fridge? Do they have to patch it? For how long? Who pays for all that? A
$20 webcam suddenly needs $500/year just in ongoing maintenance and updates.

I don't have any answers, only questions.

~~~
wwwigham
And, not to be prudish, but the lack of regulation is part of what has allowed
the industry to explode. It's more unlikely I can succeed at a kickstarter for
a neat computer dongle if it needs an extra few thousand dollars for
regulatory approval before I can ship it. While I have no personal experience
with the FDA approval process, my father worked for a company in the
healthcare industry - I'd hear stories of multi-month long FDA audits of their
hardware after a 'statistically significant' number of failures in the field.
That kind of pressure is not amenable to single-man operations, as is frequent
in our field - nor should a dev be on the hook for lifetime tech support for a
silly lightbulb or other trinket. Yea, the infrastructure as it currently
stands has issues, but while regulatory pressure will whip the big players
into line, it could also easily choke out smaller players and startups.

On the subject of answers, rather than questions... I have a funny story. So
the XBox one has this neat feature where you can control your console via an
app on your local area network PC or phone. The default setting was that any
device on the network the Xbox was connected to could control it. Imagine
this, in a college dorm. I saw a lot of xboxes available to control. So, after
testing with a friend (yep, I could easily interfere with whatever), I
developed a key combo that I could rapidly input from any console state which
would open the settings menu and disable the remote control feature, locking
out my own access (And I'd know it had worked because I'd be disconnected).
That's right, I effectively developed a virus which patched the vulnerability.
If attackers have the advantage in this field, then maybe we should put more
effort into thinking about friendly counter-attackers. If the silly IoT device
can be pwned, then it can be pwned for good, as it were. Does anyone know of
any groups working in this area, or any research done towards it? Pen-testing
and other white hat hacking activities I know about, but does anyone
officially do this kind of guerilla-patching?

~~~
csydas
I'm having difficulty finding any authoritative or historical resources on
this, but I recall that "good" viruses were for some time planned that would
do just that: Run around, see if they could infect via the method, then patch
and self-destruct.

Ultimately the idea was considered not good because of difficulties with
getting it to work as expected, pressure and fear that the fix would introduce
more issues, liability issues, and so on, and probably some ethics debates on
computer intrusion even for the purpose of securing the device.

I'm not really sure what stance to take on such an issue, since the idea
behind it is good intentions, but I feel like it can lead to unintended
consequences that ultimately would have no one liable. For my personal
machines I have fairly vanilla setups, but many of my friends and colleagues
have rahter intentionally complex set ups and most definitely would object to
someone accessing their set up and making changes without their permission.

~~~
marcosdumay
I remember a history¹ about one that was tried. It just took down the
university network where it was placed.

1 - I'm sure it is in one of my undergrad textbooks. In other words, no way
I'll find it again.

~~~
rst
Sounds like Welchia. See, e.g., here: [http://www.internetnews.com/ent-
news/article.php/3065761/Fri...](http://www.internetnews.com/ent-
news/article.php/3065761/Friendly+Welchia+Worm+Wreaking+Havoc.htm)

~~~
wwwigham
> "Increased ICMP traffic"

Wow. If a virus propergated like this on today's networks, would such traffic
event make a noticable dent in the available bandwidth?

Anyways, I hadn't heard of this virus - it's super neat. Patching its own
infection vector and even explicitly removing an existing virus from the
target machine... The article loathes it for how overtly it affects machines
(forced restart to apply an update) and networks (congestion), but the work it
attempted to do was decidedly good. Sounds to me like it worked well, but had
poor execution in accounting for the network effects it would have. (I doubt
it was rigorously tested in a prod environment ;) ) If anything, I'd see this
as a case study that this kind of offense-as-defense strategy has the
potential to work... Its just nobody wants to take responsibility to do so.

------
nixos
The problem is that software engineering is hard.

Immensely so.

On a scale of engineering "hardness" (meaning, we can predict all side affects
of action), software engineering is closer to medicine than to, say, civil
engineering.

We know stresses, materials, and how they interact. We can predict what will
happen, and how to avoid edge cases.

Software? Is there any commonly used secure software? Forget about Windows and
Linux. What about OpenBSD?

Did it ever have a security hole?

And that's just the OS. What about software?

There are just too many variables.

So what will happen?

There will become "best practices" enshrined by law. Most will be security
theater. Most will remove our rights, and most will actually make things less
safe.

Right now, the number one problem of IoT security is fragmentation. Samsung
puts out an S6, three years later stops updating it, a hole is found, too bad.
Game over.

The problem is that "locking firmware" is common "security theater", which, if
there'll ever be a legal security requirement on IoT, it'll require locked
bootloader and firmware.

And you can't make a requirement to "keep code secure", because then the
question will be for "how long"? Five years? 10 years?

~~~
stonogo
> On a scale of engineering "hardness" (meaning, we can predict all side
> affects of action), software engineering is closer to medicine than to, say,
> civil engineering.

This level of hubris is pretty revolting. Software engineering is _easy_.
Writing secure software is _easy_. The difference between civil engineering or
medicine and software engineering is that practitioners of the former are held
responsible for their work, and software engineers are not and never have
been.

Nothing will improve until there are consequences for failure. It's that
simple.

~~~
estefan
> Nothing will improve until there are consequences for failure. It's that
> simple.

Of course it's not that simple. Clearly you've never written much, if any,
real software.

You want to make an SSL connection to another web site in your backend. You
use a library. If that library is found to contain a vulnerability that allows
your site to be used in a DDoS, where do the "consequences for failure" lie?
You used a library.

Do you think people will write free libraries if the "consequences" fall back
on them? If not, have you even the slightest understanding of how much less
secure, less interoperable and more expensive things will be if every
developer needs to implement every line themselves to cover their backs? Say
goodbye to anyone except MegaCorps being able to write any software.

Where does this end? Would we need to each write our own OSes to cover
ourselves against these "consequences", our own languages?

~~~
biofox
The same could be said for any industry.

Anyone can practise carpentry, but if someone is going to do so professionally
and build structures that can cause injury or damage if they fail, then they
should be accountable for the consequences. This is why indemnity insurance
exists.

In software, a lack of rigour is fine for toy applications, but when
livelihoods and safety become involved, we need to be mindful of the
consequences and prepared to take responsibility, just like everyone else in
society is expected to do.

~~~
estefan
The problem is identifying potential risks. It's obvious if I build a building
it might fall down. It's not obvious if you sell web cams they might be used
to take part in massive DDoS attacks.

~~~
varjag
Well now it _is_ obvious, and honestly it has been so for a while. The reason
we have shitty security is not because the risks are unknown.

------
eveningcoffee
I can propose a quite straightforward solution for this mess: do not connect
things into the Internet.

Your thermostat maybe wants to talk with your alarm clock. I can get that. But
it does not have to happen over the Internet. Let them talk locally.

~~~
wwwigham
That's actually what Bruce wants - and he figures the only way to enforce it
is through regulation. He's given up on the sensibilities of individual
companies and programmers, and would instead like to rely on regulations to
make some basic guarantees.

You and I know the basics of computer security. We can take a crack at
designing a secure system and maybe do okay. But the argument goes like this:
Yes there are security conscous programmers, but there are also many which are
not. And those people work on products which make it to market. How do we stop
those products from making it to market? Government intervention. He's given
up on education and relying on the informed developer, and would rather rely
on public policy. I find it a bit sad.

~~~
jlj
The free market crowd would argue that the surviving companies will bake in
the right security if consumers demand it. If companies don't take it
seriously, either their customers aren't demanding it, or they will be
replaced by companies that do a good job at it.

The government has a proven conflict of interest and disincentive to harden
the infrastructure. Vulnerabilities are valuable for espionage. And there are
already regulations like HIPPA, PCI, etc, yet there are still breaches.
Regulation will add complexity to business and will protect market share for
the entrenched players who can afford to follow it. That will lead to further
consolidation and reduced competition while I feel that the opposite is
needed.

The fiefdoms described in another post wouldn't be such a bad thing. At the
nation state level, competition will also make for better security.
Isolationism doesn't work out well in world history. Movement of goods and
ideas does a better job at bringing countries together. I feel there's a
pendulum swinging back towards isolationism but it goes back and forth over
time.

~~~
alexqgb
What the free-market crowd can never account for - here, or anywhere - is how
the market is supposed to resolve issues that are not of direct, immediate
interest to self-serving buyers or sellers, but which are of massive and
justifiable interest to third parties outside the transaction.

Case in point: If a seller in one country can lower the costs of a good
shipped to another country by scrapping responsible waste management in favor
of polluting the commons (i.e., places where individual property rights claims
are difficult to press), then "the magic of the market" is likely to increase
- not decrease - the amount of pollution generated by the trade.

What libertarians don't like to admit is that they see free markets as more
than ideal mechanisms for preserving efficient economies. They also see them
as efficient sources of good and just governance. Like all belief systems,
faith in the quality of governance supplied by free markets, while rational
and well-supported to a point, can be taken to counter productive extremes
where it maintenance stops operating like empiricism, and starts to function
is ways indistinguishable from fundamentalists religions.

Not sure how many sensible knowledgeable people want _this_ to be the dominant
force in guiding global network security.

~~~
CuriousSkeptic
As a nuance though. one could agree with the notion of negative externalities
naturally occurring in a free market economy (perhaps in a total laissez faire
environment the affected third parties could retaliate in kind though) but
disagree with the form of policy to address it. In principle the market should
be able to select appropriate fixes if the costs are internalized, but
governments have a tendency to focus less on the internalize costs part, and
more on selecting fixes. Pragmatically it might be the best way forward, but
in principle it goes against free market resource optimizations and instead
becomes a gamble that whatever fix is made policy actually do have an impact
on the problem, and doesn't make things worse.

~~~
alexqgb
_Pragmatically it might be the best way forward, but in principle it goes
against free market resource optimizations_

This is a pretty good argument the absolute value of principle, tbh

For what it's worth, I tend to see principles like map; useful - even
indispensable - in many situations, that are nevertheless abstractions and
therefor imperfect guides to actual reality. Use maps, yes, but avoid
mistaking them - or any system of symbols - for the things they represent
(i.e., the map is not the territory).

Indeed, principle is a form of proxy wisdom for the young and inexperienced.
It's better than nothing, but probably not enough to save you from at least a
few episodes of hard reckoning. Assuming these don't get you killed, the
places where principle doesn't serve are the ones where mature judgement
develops.

Granted, there's a point where this doesn't serve either, but that's okay too
since mortality always wins in the end.

------
zzzcpan
It feels like they are using dyn ddos incident as a 9/11 of the internet. So
much fear mongering and push for government involvement, disgusting. Next
thing you know you'll need a license to write software for appliances and
mandated to put a surveillance API into everything.

~~~
gioele
Schneier point of view is that government involvement will happen and it is
better to shape this involvement before the US government is forced to
intervene after a large-scale disaster.

> Nothing motivates the U.S. government like fear. Remember 2001? A small-
> government Republican president created the Department of Homeland Security
> in the wake of the 9/11 terrorist attacks: a rushed and ill-thought-out
> decision that we've been trying to fix for more than a decade.

> A fatal IoT disaster will similarly spur our government into action, and
> it's unlikely to be well-considered and thoughtful action.

> Our choice isn't between government involvement and no government
> involvement. Our choice is between smarter government involvement and
> stupider government involvement. We have to start thinking about this now.
> Regulations are necessary, important and complex ­— and they're coming. We
> can't afford to ignore these issues until it's too late.

[https://www.schneier.com/blog/archives/2016/11/regulation_of...](https://www.schneier.com/blog/archives/2016/11/regulation_of_t.html)

------
Futurebot
I'd love to see what a detailed version of security policies and
infrastructure look like in a world of backdoor-less strong encryption from
Schneier, the EFF, the Hopkins crew, etc. Something that can be used to
persuade, or at least influence policymakers by allowing them to see that
another way is possible, one that allows security services to do their job in
a way that allows them to feel that their work isn't futile, while
simultaneously respecting privacy rights. I think the need for strong
encryption and no backdoors (which as Schneier himself has explained in the
past, are always a double-edged sword) are very important and I support them,
but that those on the side of it who also have in-depth knowledge about the
finer details don't deign to articulate just what exactly the policy looks
like without resorting to just a list of what we shouldn't do and vague
allusions to "just go old-school" or "utilize human assets more."

A coherently articulated, normative counterfactual security platform would be
a better place to argue from.

It's a cousin to the negative liberty arguments: they only list what not to do
to in order to avoid hurting people, rather than what we can do to help them
(positive liberty.) Maybe we could frame the question as "If we let the EFF
and Bruce Schneier redesign the United States security apparatus from scratch,
what would it look like?"

We already have excellent critiques, and are good at articulating "what's
bad," but far too little on "what would a good system look like that strikes
the 'right' balance?"

~~~
nickpsecurity
A combo of per-customer authentication at packet-level, DDOS monitoring, and
rate limiting (or termination) of specific connection upon DDOS or malicious
activity. That by itself would stop a lot of these right at the Tier 3 ISP
level. Trickle those suckers down to dialup speeds with a notice telling them
their computer is being used in a crime with a link to helpful ways on dealing
with it (or support number).

Far as design, they could put cheap knockoff of an INFOSEC guard in their
modems with CPU's resistant to code injection. Include accelerators for
networking functions and/or some DDOS detection (esp low-layer flooding) right
at that device.

[https://en.wikipedia.org/wiki/Guard_(information_security)](https://en.wikipedia.org/wiki/Guard_\(information_security\))

------
phantom_oracle
I think I live in a bubble...

But...

Who buys these products? Why does a toaster need to be connected to the
internet and synced with your "smart"phone? What exactly can you achieve
having this feature?

~~~
imaginology
Not sure about a toster, but there are benefits to having some household
appliances connected to the internet. For example, a washing machine may be
able to determine what hour it should operate for maximum energy savings, and
ping you when finished. I guess a toaster could be similar; pre-loaded with
bread so you could ask it to start toasting before getting up from the sofa.

> Consumers may find it totally cool to design images for toast using a
> smartphone. Meantime, the resulting data would help food companies
> understand how people approach breakfast, design new products and market to
> consumers more effectively.

[http://blog.rackspace.com/internet-of-things-why-
connected-t...](http://blog.rackspace.com/internet-of-things-why-connected-
toasters-and-other-smart-home-devices-matter)

~~~
rglover
> [...] pre-loaded with bread so you could ask it to start toasting before
> getting up from the sofa.

But how did the bread get in the toaster?!

------
willholloway
Could we not solve the problem of DDOS through collaboration between hosts and
ISP's?

1) DDOS attack is detected 2) Attacking IP addresses are sent automated DDOS
abuse notifications 3) ISP, like your credit card company when it's machine
learning algos detect fraud ask for human back channel verification like SMS.
4) ISP notifies user of suspected bot on one of their devices. The onus is put
on the user to run a secure network and remove or fix offending devices.

This system could work well for residential connections at least.

It could be implemented similarly to the way spam is handled by the internet,
bad neighborhoods and networks that don't self police are treated as second
class citizens.

~~~
therealidiot
> It could be implemented similarly to the way spam is handled by the
> internet, bad neighborhoods and networks that don't self police are treated
> as second class citizens.

Please no, the way spam is handled on the internet means that anyone who isn't
already a massive internet company is usually treat as a second class citizen

~~~
willholloway
On second thought, agreed. I hope that is not part of the solution.

I think that our routers may be the key, or are at least completely negligent
at the moment.

A normal consumer router is essentially a black box, but it should be a
watchdog. The router should alert users when suspect outbound traffic is
originating from it's network.

Of course the router could be compromised, and router patch cycles are
atrocious generally, but this method could notify in case of hacked IP cameras
and thermostats.

------
barnacs
In my opinion, this is yet another example of a social problem that technology
simply amplifies.

Humans make mistakes. Computer systems are fragile. As humans keep developing
computer systems, new attack surfaces, new vulnerabilities will be introduced.
It's pointless to try and keep playing catch-up either with or without
"regulations".

Instead, we should consider _why_ such attacks happen in the first place. Who
are the targets? States? Corporations? Maybe they're not open enough. Maybe
they're too powerful. Or are we afraid that our governments, corporations, or
other entities/instituions of our society invade our privacy to manipulate us?
Or are we scared for our wealth or status?

None of these are technological issues at their core. Our society needs to
adapt and grow up to this powerful technology. Until then, the only thing we
can do for our safety is refuse to use it.

------
patcheudor
"Any sufficiently advanced technology controlled by a miscreant is
indistinguishable from a possessed object in a Stephen King Novel."

[http://thefutureisastephenkingnovel.com/assets/player/Keynot...](http://thefutureisastephenkingnovel.com/assets/player/KeynoteDHTMLPlayer.html#2)

------
qwertyuiop924
Yep. Keep IoT on the LAN, or give it the same respect you would any other
networked computer.

However, the day the the Internet Era of Fun And Games is over is the day that
the internet keels over dead. The Internet was (almost literally) built on fun
and games.

~~~
0xCMP
But the problem has been people haven't done that. So here we are.

Maybe some stick (vs carrot) for unwittingly contributing to a DDoS to make
people care will work? Not sure. I'm not really liking any of these solutions,
but the problem is that it'll get worse.

~~~
gooberdoober
I don't know, do they have to run on the same network as everything else?

Maybe a first step is just to have an address range for these demonic things,
which isn't publicly routable (unless you deliberating NAT it). The "home
network" range (steal back some of that loopback space!).

------
sandworm101
>>> We get security [for phones] because I get a new one every 18 months. Your
DVR lasts for five years, your car for 10, your refrigerator for 25. I’m going
to replace my thermostat approximately never. So the market really can’t fix
this.

Yes it can. It is fixing the problem as we speak. I, a security aware person,
would never buy a connected thermostat. I'll buy the 5$ model that does the
job I want perfectly. And my connected DVR lies behind some decent protections
on my local network. Should it start participating in a dos attack or talking
to those it shouldn't, I'll notice and replace it with a better system. The
same is true of laptops, phones and cars. Once people are burnt a couple times
they will opt for the safer models. Government could perhaps accelerate this
process by increasing manufacturer liability (lol, not for the next 4/8 years)
or by mandating that unmaintained products self-brick (again, lol). But the
market will react nevertheless.

~~~
saint_fiasco
> It is fixing the problem as we speak. I, a security aware person...

The market of devices bought by security aware people is not the market that
Schneier is concerned about. It's this other much larger market of normal
people buying the least expensive devices with the most convenient features.

Those consumers won't notice or care if their devices participate in dos
attacks, but the targets of the attacks care a lot. It's a classic example of
a negative externality.

------
Mithaldu
In the video he makes an excellent point, that i think is valuable to
highlight and repeat here again:

Device insecurity is in aggregate very similar to environmental pollution of
devices.

It is a latent danger that in some cases can stick around for many decades, it
is caused by many people invidicually adding a tiny bit to the problem, it is
created because right now accepting insecurity makes the product cheaper
without directly hurting either the manufacturer or the buyer.

------
sbuttgereit
I remember the last time we called on a government security solution for a
problem that was perceived as too difficult and too critical for the private
sector that had been, up to that time, managing the issue.

That's roughly how the Department of Homeland Security was born and the TSA
was given the critical task of managing airport security where the failures
happen. I wonder how Mr. Schneier thought that worked out?

I cannot take seriously any open-ended demand for regulation in the name of
safety that doesn't spell out pretty detailed proposals which would work in
practice; what such regulations should address and what is off limits. The
last time we did this, we sacrificed rights and gained little (if any)
additional security; I think Schneier calls it "security theater". I want to
know why he thinks his call will result in ANYTHING better than that fiasco
before I'm even vaguely convinced that this is the right answer.

Please don't read this as my not believing that there is a real problem and
threat. I'm simply dubious of Schneier's answer at this point. "Any action"
here is not necessarily the right action.

~~~
hackuser
> the last time we called on a government security solution for a problem that
> was perceived as too difficult and too critical for the private sector that
> had been, up to that time, managing the issue. / That's roughly how the
> Department of Homeland Security was born

I'm pretty sure the U.S. government has taken on other security issues since
the DHS was founded in 2002.

~~~
sbuttgereit
And what's your point caller? Your statement sounds like blind trust and
assumption rather than any actual knowledge. Sorry, I can't do that.

So let me run the exercise a bit... DHS... Patriot Act?... All that Snowden
revealed stuff?... Invasion of Iraq?... Lybia?... Syria?... the U.S.
Border?...

OK... a bit glib, but the point is there: where are the successes where the
government protected citizens successfully without a disproportionate
reduction of rights of those citizens. Off the top of my head, I can cite
about as many as you did. I imagine there are some out there... but the track
record isn't so good.

------
WalterBright
Add a physical write-enable switch or jumper, so that malware cannot be
installed into the firmware, and hacks cannot survive a reboot.

------
throw2016
There have been dozens of discussions on ddos and iot over the last few weeks
here and its curious the technical consensus to solve a 'fragile network'
problem is with politics and control and a political problem like surveillance
with technology.

The first can't be solved with politics without locking down the internet and
fine frained control of billions of devices connecting globally in others
words an unachievable strategy. And the second cannot be solved with
technology unless anyone truly believes they can fight an organization with
the law, tens of thousands of programmers working on surveillance 24/7 and
near endless resources on their side. This way none of the problems get
solved.

------
greggman
I don't understand how this regulation will work.

Will all open source software have to be submitted to some government run or
approved certification? OpenWRT? Linux? Random App that accesses the net?
Raspberry PI python script?

Sure it matters that 1 million IoT cameras are secure and can be updated but
what about a million servers running some npm library? Do those need to be
regulated too?

I'm very concerned about the security issues but I'm not looking forward to no
longer being able to write software because I need it certified every time I
add a line.

Are there other solutions that don't require regulation?

------
cmurf
It'll be a continuous sequence of market and government failure until it
breaks. And in the meantime it'll involve a lot of finger pointing, not least
of which will be at the user e.g. the user is stupid for clicking on that
obvious link and deserves to be defrauded, that'll teach them; and other mind
numbing nonsense. We'll see a return to walled gardens of private networks
very restrictively interconnected, similar to the days of AOL, CompuServe, and
Prodigy.

------
bArray
The governments want to get involved - the simple fact is I don't think they
can. Software can be much more complex than humans. There are systems out
there that are already so complex, no one human can reason about the entire
system.

I don't think law could even keep up with the space it wants to govern. They
would be better trying to govern the application space as they have already
been doing, such as vehicles, nuclear, etc.

------
MichaelMoser123
Did Bruce Schneier call for regulations that should prevent ddos attacks? What
kind of regulation/law does he propose?

In other articles Schneier called to solve other problems by regulation - for
example to limit data retention by internet companies. are laws the answer? Is
these no way to solve security related problems be better technology?

Will microkernel os solve embeded device security or will it be regulation?

~~~
porkloin
Correct me if I'm wrong, but I believe he's calling for a specific organ of
government to take on regulation of the internet and connected devices in a
general sense, not calling for some specific regulation or law.

I suspect what he's getting at is having some set of "safety standards" to be
put in place, especially for IoT tech. The whole quote of

>Our computers are secure for a bunch of reasons. The engineers at Google,
Apple, Microsoft spent a lot of time on this. But that doesn’t happen for
these cheaper devices. … These devices are a lower price margin, they’re
offshore, there’s no teams. And a lot of them cannot be patched.

sums up that point pretty well.

I honestly don't know how you would really enforce something like this, but
the proposal seems to be less about the specifics of regulation and more about
the need for new regulation. The FCC really isn't equipped to handle this kind
of thing.

~~~
MichaelMoser123
% honestly don't know how you would really enforce something like this

Probably like with automotive code - they don't have code audits but have
mandated test scenarios. The problem is that you need large organizations to
work these out

i guess Schneier has a point, if consumers do not demand secure systems then
it can only be done through regulation.

that would be a very German approach - they have strong consumer advocacy
organisations like Stiftung Warentest and the Adac, these then push for more
consumer protecting regulation. [1]

Once upon a time these requirements were also used as protectionist barriers.
In our days that would mean: you did not bother to update your toolchain and
have no firmware updates for this smart light bulb of yours? gone is your
import license.

[1] [http://americastradepolicy.com/german-customer-protection-
or...](http://americastradepolicy.com/german-customer-protection-or-
protectionism/#.WDaqd7J96M8)

------
sliken
seems like the answer to this is a federal standard for home firewalls. You
buy a random piece of crap camera, the FCC or similar should track and publish
a reasonable firewall rule for it. That way hordes of IoT devices could
participate in a DoS without the FCC publishing bogus internet rules.

------
RRWagner
There are few powerful technologies invented in the last 100 years for which
the government did not eventually require a license to make or even operate. I
do imagine a future where to own a computer that can truly "create" will
require a license to own and operate.

------
z3t4
We do not need more laws and regulations, we need less. Remember what happened
if you had a security vulnerability 15 years ago ? You got hacked by some kid,
then you patched your system and restored from backup and gave the kid a
cookie. What will happen now ? And why ?

------
xapata
Government is useful to solve the tragedy of the commons. Insecure devices are
a negative externality. The government should tax insecurity (or fine device
manufacturers that allow an attack) and use the revenue to subsidize software
security efforts.

------
woliveirajr
And I think that it'll be interesting when this kind of thing backfires. Like,
let's say, USA government wanting that some computer made by Digital doesn't
give the correct precision in all calculus done in the USSR nuclear research.

------
heheocoenev
The fun and games are just getting started, it's just the stakes have been
raised.

------
simonlebo
Could ISP be responsible for attacks coming from some of their infected users?
Shutting down someone's internet for 'abusive use' would be a good incentive
of getting incriminating devices out of the market.

------
debt
bro imma let you finish but

"the government should be part of he solution?" Hahah wtf

Bro

the gov't regularly "hacks" all the things(including the internet of things)
legally that I literally couldn't give a shit if some random fucktard script
kiddie decides to hack my router.

the government literally does it on the regular legally.

that's the actual problem. get a mitt bro.

------
Entangled
> "Schneier then laid out his argument for why the government should be a part
> of the solution"

Now we have two problems.

------
pessimizer
This site's ssl is broken.

~~~
ursus_bonum
Or you're using Chrome.

~~~
whyagaindavid
I too get an ssl error with firefox 50

------
kordless
We're going to need to integrate cryptocurrencies with APIs. Encrypted pay to
play is the only way.

------
Pica_soO
Another approach to security - give everyone a nuke, and only prevent
untraceable strikes. If everyone can denial of service the guy who started it-
he wont start it?

Dear god, now im pro-gun. Also then identity fraud will be the weapon of
tomorrow.. I miss the old internet.. maybe if the speed is so slow, that
strikes become uninteresting..

Could the servers transferring TCP-IP be adapted, in such a way, that a mass-
traffic causing incident (controllserver) leads to a slowing down of the
connection of the causality chain origin?

No, crypto prevents that. What a nice little maze.

