As a user, but not in any way a computer professional, I can say that I am horrified at how cavalier EVERYONE I know is about security.
Two step authentication? Takes too long.
Alexa on all the time? Sure, how else would I order what I want now?
Clicking on sketchy links? Sure, but the puppies are so CUTE!
Yeah, we need a lot of help from regulators, on-line companies, hardware manufacturers, etc., but we as consumers need to also take responsibility. If you leave your keys in your Lexus and it’s stolen is it really their fault?
(And yes I do recognize the difference between things like the power grid, medical info, etc but it’s clear the average voter is not invested in this issue).
10
I wish people would watch the Robert Redford film "Sneakers," now over 25-years old. NPR shows won't take my calls when I try to talk about it, but this is a problem a long time in the making. Watch the film and be frightened.
https://www.imdb.com/title/tt0105435/
2
Too late
Duck and cover
1
Self to coffee maker, “make me a cup of coffee.”
“I’m sorry Dave, I can’t do that”
8
Republicans, who control all three branches of government, are too busy rigging the next census with citizenship questions, both denying and stoking climate change while attempting to deal with the disasters it creates, and lying to the public in pre-election attack ads to care one whit about securing internet connected devices. Vote November 6!
8
Certainly these are hugely important industry wide risk issues that need to be addressed.
In the mean time this aging baby boomer and spouse are are beginning to look at all technology products as if they were USDA food products and what we’re beginning to conclude is that most of it is pure sugar that should be avoided no matter how sweet the taste.
Good health can be maintained by rejecting unhealthy technology such as Facebook and Google.
11
"Regulation is inevitable. "
Not anymore, sadly.
5
Yes, make technology more secure. But that misses the main point, which is that perpetrators of security invasions, whether by a nation state or nefarious individual, need to be shut down.
Go after the people who are behind the attacks and make them pay substantially for them. Once it becomes too expensive to attack technology users, the attacks will mitigate.
Of course, the attackers are very sophisticated, and getting more so all the time. But that doesn't mean they can't be stopped. There has to be a response against them which is sufficiently painful that they will stop their attacks. It's more difficult when a country like Russia attacks our elections, or China attacks our companies. But just because it's hard doesn't mean we can't stop them, too. All it takes is willpower.
Stop the supply of attacks, and the internet will be safer. It will be expensive and time consuming, and will have many failures along the way. But what alternative is there? Do we want a safe internet or not?
And yes, tighten the security for computers and IoT devices, too. It's unbelievable that products can be shipped that have little or no access security built in. But the vast majority of attacks don't come from computer geniuses. They come from naive or unsophisticated users who are unwitting prey for hackers, so user education and increased awareness of sound computing practices need to be established, too.
The internet is too important to let attacks run rampant like we are.
2
Max to go after perpetrators you have to define what standard has been violated. I take the article to suggest regulations that would do that, and thus set the stage for enforcement-- ie going after the perpetrators.
2
@Rhporter I agree that standards are needed for better and more widespread security implementations. But we already have laws on the books (larceny, fraud, conspiracy) and international agreements that allow us to go after hackers, whoever and wherever they are. We're doing some of that (see also: Mueller) but we haven't invested enough resources into it to make the difference we need. That's why I said it's a matter of willpower. We pretty much already have the means.
I fully agree with the author, except for one thing, the greatest IT disasters in many countries were created by government. Most politicians and too many senior bureaucrats can barely switch on a computer let alone conceive the vulnerabilities and consequences of the connected world. They do not really know how computers work - their capabilities and limitations. Nor do they understand supply chain vulnerabilities: the cheapest tender wins even if it comes with pre-installed spyware. Some senior bureaucrats install spyware, to control their employees, not understanding that it can be used as a "gateway" into their systems.
Then there are agencies of government that see the connected world as the culmination of an 'Orwellian' dream, where every device can be used to spy on the community.
To pick up on one of the author's salient points: the only entity that can be less relied on than government is the "market".
4
Actually: the solution to the problem is to revisit Internet Protocol.
IP is a messaging system built from a conceptual model developed through much academic, commercial and military cooperation in the late '60's-early 70's. The model was known as the seven-layer OSI.
The Internet as we know it is quite new, and relatively simplistic. Fixing IP security requires going back to the seven layer model, and implementing new security at both lower and higher layers of the otherwise quite satisfactory communications model.
6
These types of articles never fail to bring the self-righteous technophobes and proud luddites into the comment section. They complain about how their decades-old toasters work just fine, how they would never join a social network, how they still go to the bank to pay bills, and so on. Good for them, but doesn't speak to reality for most people.
There's also the entirely unhelpful group of self-proclaimed 'computer experts' who cannot fathom the idea of, for example, applying for a credit card using a social security number, because not everyone has the assets to pay cash for the higher priced goods at local stores. They talk about how they've warned younger generations of the dangers of using technology with personal information, but in so doing they make their arguments unheard because of how extreme it comes across. It is unreasonable to expect people to give up social networking, assistive technology, and other digital conveniences despite the risks they may pose.
It is indeed a fact that many are cavalier with their personal information and identity security. The way to improve this is not to demand digital abstinence, but instead to provide education and tools to protect oneself. It can be done and it's not as hard as many may think, though reliable advice is admittedly hard to find. It's time we start to think about digital security the same way we think about progressive sex-ed. We need to stop fear-mongering and teach the facts. And this goes for all ages.
6
The constitution offers no guarantees to the right for privacy. If it did, the amount of personal data collected and stored would drop dramatically simply because of the risk involved, and you'd see a lot more attention given to security. Right now our laws and culture has created an environment that pays out large rewards to companies that successfully collect and use personal data, and it's rare that they are punished if that data gets misused or is lost due to poor security. We can change that equation by creating new laws and prosecuting those who break them, but until we do, we shouldn't expect companies to come to any sort of different risk/reward conclusion than they do today. HIPAA laws dramatically changed how companies stored personal medical data, and there's no reason similar laws couldn't be enacted for other types of data. It's not rocket science.
4
I am not "the government is not the solution but the problem" kind of guy so I have no problem with government getting involved. But there is a simple fact that I wonder about? If FCC cannot even manage to make the "do not call list" stick, how are they going to manage computer security?
9
The cloud and subscription model of software is fundamentally insecure. And it is completely unnecessary. The actual purpose of that model is a steady income stream for the vendors, not the glory of upgrades and mobily (new word) accessible storage.
There is no inherent reason for IOT devices to have to "call home" to Amazon or google or apple or microsoft or anywhere. The standards should be oriented toward secure local networks that access beyond that only when explicitly directed to do so. And even then to not 'call home' but connect with roaming devices through VPN or other more robust private anonymous connections and above all NOT through an 'Account". Accounts are where they gitcha. Avoid them like the plague. I see an enormous market for smart speakers that were Not connected to the internet until explicitly told to do so, rather than connected by default and design. The function would be exactly the same but without the creepy personal privacy invasion. The tech already exists and is already cheap. Perhaps not as profitable to the tech monopoly overlords.
4
Several commenters have bemoaned the fact that Schneier didn't simply recommend that people just not buy connected devices. Perhaps he didn't mention this option because he knew that it wasn't going to happen. Security breaches regularly make major headlines, yet people keep buying connected devices. This kind of behavior isn't new; I can't really think of any time in history when people intentionally abandoned advanced technology to revert to less-capable products. Millions upon millions of connected devices are going to be sold over the coming decades; rather than deny reality, we ought to minimize the dangers as much as possible.
7
A significant number of the recent hacks have come about via relatively unsophisticated phishing exercises when users - who should have known better- opened emails - clicked through to fake websites and freely entered their personal info including passwords.
As has been noted for at least a few centuries - 'you can't fix stupid'.
5
I find this unconvincing. Primarily because to give it much credence you have to assume that Bruce Schneier has some deep level of understanding of these insanely complex technological, political, and economic systems. But as Adam Curtis points out to us: _nobody_ understand these systems anymore. The people in power no longer try to control these systems, they merely try to prevent one crisis after another (if they are even competent).
Predicting the future of cybersecurity is nearly impossible. Schneier's predictions are one way things might play out. But it's also entirely possible consumers will simply get sick of computer-embedded junk. Think about all the frustrating smart thermostats installed, and the Alexas and Google Homes that already sit unused in people's closets because they just add an annoying aspect to people's lives.
I do believe hackers will hold more giant computer systems ransom - but companies won't put up with that for long. And the only terrorists so far who seem capable of doing real damage are the ones sponsored by the US government. These systems ARE complex - without billions of dollars behind them it might just be too hard for terrorists to work out the flaws and take advantage of them.
My point is there's just too many different directions this could go in to start panicking about what the danger of robot cars or drone delivery might be. Let's not worry about our future sci-fi problems until we've addressed the real ones we face right now.
1
“The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market — for security to be built into the products and services they want.”
Um, are you kidding me? Is that why Bill Gates is one of the richest men on the planet and Apple is worth over a TRILLION DOLLARS? Consumers are paying plenty. The reason is corporate greed suck I guess every extra penny away from what should be included features both performance wise and whatever security features are the most effective and up to date. That would be the nonselfish, ethical thing to do, but as noted, if American/global capitalism structure and corporations were people they would be diagnosed somewhere between sociopaths and psychopaths.
8
Did you read the entire article? You seem to have missed the point - people are buying connected devices (not PCs and Macs) with no way of knowing how to gauge their security. And if a company comes to market late, and at higher cost, because they've taken the time to bake security in, they are unlikely to get traction for their device on the basis of security alone. Because people like you don't see the risks, and don't value them with your wallet.
4
“...we need regulatory agencies to penalize companies?” Good luck! Even without Kavanaugh, this will be rejected by the hardcore right wing zealots on the SCOTUS, with no consideration at all. It’s more big government red tape and bureaucracy, and if it costs corporations money, you may be certain that the Justices and Congress, who are in the palms of the wealthy, will prevent it. And when the data is hacked, when the cars and trucks start driving off the road, the CEOs will come to the government for bailouts, and get out of jail free cards. And the taxpayers will foot the bill for the damage. All because Reagan declared that government was the problem.
The author of this article is a Cassandra, who is screaming about the Trojan horse, and no one will listen.
10
"The courts have traditionally not held software manufacturers liable for vulnerabilities."
Perhaps it's time for this to change. One should wonder how is it so many CEO's make countless millions per year but the security head probably makes a pittance by comparison.
3
Whenever I read the words "the government needs to step in and regulate" these days, I laugh a little, albeit largely without humor.
I do so because for as long as I can remember, I have swatted away up to 5 robocalls a day.
This despite:
(i) Being on the government-encouraged Do Not Call register
(ii) The government declaring such calls illegal
(iii) My telephone number being a piece of personal data that must have been sold by my carrier or someone other than me, all under the regulation of the government
Government regulation does not appear to work when it comes to determined tech menaces. So what's Plan B?
14
I'm an electronics engineer who has a reasonable understanding of how this technology works, and I can't imagine that as long as this stuff is connected to the public internet that security will ever be complete, government involvement or not.
The solution in my mind: don't connect everything to the internet!! I don't ever want a car that's 'connected'. I don't want home appliances that are 'connected'. I don't ever want 'Alexa' or any of that type of junk.
We truly don't need this stuff, and I'm more than happy to swap a bit of added convenience (?) for not having to worry about the kind of things the author suggests.
22
Many companies are already doing what they can to make their systems secure, but the technology to build computing systems in a secure yet reasonably cost-efficient way doesn't exist at this point. Government regulation will not solve this fundamental problem -- it would be like requiring car manufacturers to start building solar cars. Mandating nonexistent technology will be counterproductive.
The real role for government is to properly fund basic research on cybersecurity defense, since no individual company has the incentive to solve the problem for everyone else. There is some promise of real solutions, but basic research on cybersecurity defense has been underfunded for decades.
6
I have little patience for those that feel they need something called a 'smart speaker' much less a smart toaster or smart refrigerator. Is the convenience of knowing when you're out of eggs (if it can even tell you that) really worth the sacrifice of privacy?
People need to start thinking rather than blindly adopting--and trying to be the first to adopt--relatively useless new technologies. Most of those technologies are little more than marketing ploys. I mean there are still a few tablets in use, but no where near the numbers that would be indicated by the fervor of a couple years ago.
Having said that, there are serious security issues on the internet. Banks have dealt with them fairly well--they have financial incentives to do so.
I suspect that, with the passage of time and the increased occurrence of breaches, security measures will become more common. Encryption and authentication protocols, block chains, and VPNs are all likely to see increased use.
6
Over the years we have made changes that we are comfortable with, do not compromise our lives, and are mindful of hacking and security.
Our Scottish Canadian frugality kicked in again a few years ago when we realised that many things we actually might need or desire have already been made. If a toaster breaks down and cannot be repaired, there is always a charity shop or a church jumble sale that has a product one may test and save money in purchasing.
We pay with cash money more than we did ten years ago. Not for everything like bills that we pay at our bank with a live human, but for food, gasoline, household items that are needed. We also ask for and receive occasional cash discounts.
We are not Twits and we are not on Twitter. We are not on FB. I can assure you that no one we know would be fascinated in the least in a picture of a plate of food we are about to consume. We have flip mobile phones.
In Canada we have Social Insurance numbers. The only one you ever give the number to are banks, the Ministry of Health for health care, an employer, and Revenue Canada. No one else. Like millions of other Canadians, I have never had the need to ever memorize my SI number which I have had all my life.
Never purchased anything online. For the record, in Canada our own social class would be considered 'upper middle'. We live quite well. We have a large circle of friends, a few are like us, and some more wired and some even less wired.
9
I suspect that much of the vulnerability comes from the use of Linux derived "free" OS's. Android and other Linux derivatives are popular for embedded devices largely because of the free libraries that power wifi, bluetooth and other systems that would otherwise require libraries that come with royalties. These systems are incredibly powerful and can do lots of things, often things that you really don't need your internet connected toaster oven to do. We need a better a public domain OS that is built from the ground up to be secure and that limits the functionality of the final product to only what it needs to do.
1
Um. Maybe no. Windows, which is decidedly not free nor in the public domain, is considered much more prone to attack than Linux (Android is based on Linux), for example.
The conventional wisdom is that open-source operating systems such as Linux are more secure precisely because security itself is crowd-sourced. The source code is freely available for all to peruse. The community of sleuths out there, looking for vulnerabilities, and regularly coming up with useful patches, is quite robust.
1
“...The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market — for security to be built into the products and services they want...
This is utter nonsense...
It’s the same argument US carmakers used about quality and safety – until European and Japanese companies drove them to the brink...
At an over-simplified level, the computational overhead for digital security is about the same as for digital error-correction...
Further, it’d be as straightforward to provide “true-digital-off” modes for products as it is to provide an airplane mode...
And a true complete log of all incoming/outgoing messages...
Instead, we have to endure a phone – not even a smartphone – system where someone can spoof an incoming number to be just about anything they want...
That would not happen without the rent-seeking complicity of the network platform providers...
As far as:
“...No industry has significantly improved the security or safety of its products without the government stepping in to help. Cars, airplanes...
It was the market that drove jet engine makers to make them so reliable that only two are now required – no matter how far the plane's flight range...
And interesting that you don’t mention all those – publicly owned/operated – train systems, who’ve forestalled installing the simplest signal and braking controls for more than two decades...
As far as...
“...financial products...
Two words:
Option ARMs
7
The internet was a good idea now gone wrong. If we had any sense we would just turn it off. It's funny that there is no suggestion in this article that we just shouldn't buy an internet connected refrigerator. I don't have one. Put that alexa thing in the trash.
14
@Neildsmith Do you have any idea how much of the world uses the internet in some form or another? Turning the internet off for the financial system alone would cause worldwide pandemonium, if not world war three.
Thank you, Mr. Schneier!
We should deal with this like Y2K: add/embed security in the devices and apps you sell by Y2020, or they go dead.
1
When does security become censorship?
@Bobo Censorship applies to human speech and expression. How is your fridge talking to your microwave either of those things? Or, worse, how is a hacker connecting to and siphoning your computer either of those things?
Regulating vulnerabilities in software is no more an act of "censorship" than putting bars on your windows against burglars. What next: allow robbery to go unchecked because the thief is "expressing himself"?
Give me a break already.
4
This horse has been out of the barn on the individual user basis for more than a decade, and overall even longer given that government systems have been massively gapping swiss cheese since the 1980s. Everyone went cheap then as now. Those who are best protected spent the money and time on high quality hardware/software (not IBM and Microsoft), educated themselves prior to plunging headfirst into all things internet, use common sense when handing devices to children, and never download porn or crackpot junk emailed from Uncle Cliff on the "real hidden story of..." via GMail or Yahoo or, ROFL, Hotmail.
Smart people are aware and careful. Period. They don't use Google or Facebook. They do use DuckDuckGo and VPNs, along with endless privacy settings and blockers on 'puters, mobile and streaming devices. My longtime email provider keeps ramping up security such that any new contacts have to scale a v-e-r-y high filter setting that I joke its Defcon 1. Inconvenient for the 1st time user trying to email me and whom I have to allow over the threshold? Not really. Plus, I've never been hacked in over 25 years. I also use Guest checkout on retail web sites, rarely allow any company to store more than my name and address. Nothing any of us can do about the criminal corporations of Equifax, TransUnion, and Experian - 'cept to put freezes on all credit reports/SS# of every family member, particularly those of children that are ripe targets for illegal immigrants and criminals.
16
I view cyber security the same way I view bike locks. A bike thief will steal your bike if you give them enough time. There is no amount of security that will prevent a determined bike thief. The trick is to make your bike not worth stealing. The effort it takes to break the lock isn't worth the bike. The one leaning against the next parking meter is the better value for the thief.
More importantly though, we really shouldn't talk about the internet as a place of fear. Yes, I would be upset if a foreign adversary set my stove to broil and set the house on fire. That would tick me off something fierce. However, the internet is supposed to be a place of information and learning. I honestly think fear is absolutely the wrong emotion to equate with the internet. I would avoid buying a smart stove anyway.
If I were to suggest a regulatory frame work for the internet, I would suggest granting unique and exclusive rights to every resident to own their own IP address. Not unlike a social security number, every American is granted their own private portal to the internet. The government's task is to keep those portals private. The difference from social security is when a portal becomes compromised the state is capable of issuing a new one. That would be my solution.
1
I joke about my refrigerator being hacked and 1000 gallons of milk showing up at my door because "it thought I needed it"-- and people I give this scenario to don't buy it. (I actually do not own such a refrigerator.)
Unfortunately, this is a rather benign scenario. There are others which are much more diabolical. But we'll just keep being infotained and mock the intellectuals... #maga
5
Oh please, if there are regulations for passwords, can we get actual good standards? As the famous cartoon says, with our use upper and lower case, and numbers and symbols, we've succeeded in training people to pick passwords that are easy for hacking software to guess, but hard for the users to remember.
The best passwords are not those ones where you cleverly replace an O with a 0 - every password cracking software knows that trick - they are the longer passwords. A short sentence, without any symbols, numbers, or upper case, is far harder to crack than one of the current P@ssw0rd options that so many websites inadvertently encourage. ihatesettingpasswords is far harder to crack and easier to remember.
1
Well if the Chinese are really interested in what temperature I set my fridge at then maybe they could remind me to get more mozzarella tomorrow too.
Plus, Ivan or Boris (whichever is on duty) if you’re reading this could you stick the kettle on, please? Oh and set the DVR as I still can’t figure out how to work it. Ta.
5
Government intervention and regulation ? You are kidding me with the current crop of pols in DC or those likely to find their way there(thank you Citizens United and in particular Judge Alito for your head shaking support of Citizens, gerrymandering, and rejection of voter rights laws).
They can’t bring themselves to deal with established scientific fact, climate change, due to just plain ignorance, stupidity, allegiance to more limited government that was all the rage in 1787 or cash in hand from those whose ox would be gored.
You expect this group to favorably respond to this complex issue? Only when the house is burning and not before. But as we know, by then it is too late.
4
"The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market — for security to be built into the products and services they want. "
Funny how they always blame the victim. The primary reason computers are unsafe is that the entire Internet has been twisted to the needs of e-commerce. It takes a lot of nerve to pontificate on security or privacy on a web page that has eight tracking scripts and a dozen web beacons. Before you start throwing people in jail, begin by confronting the Time's IT staff with the truth about their own efficient efforts to compromise reader's privacy. Then write another article, and tell us how it went.
The Internet was designed as a party line among academic researchers. E-commerce, IoT and defense were afterthoughts. As anyone old enough to remember party lines can tell you, the only way to secure a conversation is to talk in codes. So we are as safe as our encryption technology. The day that the best current encryption becomes ineffective may never be known, but it's coming.
Given the flood of poorly designed IoT devices, the last best hope we may have is some sort of super smart router. and yet the very weakest link in our home tech is the internet router, which is as vulnerable as any computer, yet never gets security updates.
8
@Mike Ood-gay ost-pay ir-say.
Proper government regulation for internet security doesn’t need to start from scratch. Treat computer security like public health and vice versa.
The language of computer security already includes descriptions like “viruses”, “worms”, or “vulnerable”, taking a page from health and medicine. There is no way to control what viruses are created or from which countries in a supply chain.
An epidemiological approach should be taken. A hospital and its patients were ransomed because a computer with out of date software was “infected.” Government regulation should mirror screens for the flu: encouraging prevention by keeping security definitions up to date and providing means and keeping infrastructure current.
Like viruses, it is always an arms race between the latest malware and the latest countermeasure. To protect vulnerable, cheap devices in our lives, a strong herd immunity needs to be maintained by monitoring products periodically from entry points with fines and punishments for noncompliance.
You shouldn’t come to work sick, and you should get regular check ups with a doctor. Why should your computer be treated differently?
1
It's getting harder, but this troglodyte will avoid any computerized product that he can. I can turn on the heat when I get home. I have a wood burning stove, if that doesn't work. I don't want and won't buy any net connected item that has a non net alternative. One thing this old geezer can promise you is that someday, someday the net is gonna go down. Online movies were nice, but I have books. Electricity was nice, but I have alternatives. Groceries were nice, but i have alternatives. and...hacking the internet should be a capital offense-because, one day, many people are going to die from a hack.
5
@otto Is it worth pointing out the irony of where you are posting this comment?
2
Not sure where NYT is getting their tech writers, but they seem to be about a decade behind the tech trends. It is not a hacking issue that a government should regulate (which by the way is ridiculously dumb). It is a shadow work and hide and seek game that has been implemented by the tech companies. Ever try to turn off every possible way that would send your actions to the providers? They are there, but are increasingly fractured and hidden on purpose. The only way to prevent this epidemic is to isolate and remove oneself from the device. Good luck.
5
"Security is not a problem the market will solve. The government needs to step in and regulate this increasingly dangerous space."
Good luck getting anything done while the Republicans are in charge. As far as I can tell they never met a regulation they liked. Oh, except for anti-abortion regulations. Those they love.
9
I find it pretty rich indeed to ask the US government to make us safe when they are the ones who hacked SSL spending billions of public money to do so. Anyone remember that?
6
"it has generally been good business to skimp on security, rather than sell a product that costs more, does less, and is on the market a year later"
Yet it would be bad for the country too to make everything more expensive, make it do less, and delay it a year, and have the government liability rules favor the biggest monopolistic abusive companies, driving out the little ones that can't pay the lawyers to do innovation.
Call me a Luddite, but instead of more and more 'cyber', wouldn't the occasional 'hard copy' be a simple and sensible response?
5
@Rachel Hoffman
Please believe, you're no Luddite. I'm a cybersecurity architect, and I think what you're wondering is correct. The Internet of Things is ridiculous in its scope and lack of security.
That said, this article has a bit of a thumb-sucking mentality.
1
@Rachel Hoffman
Some governments, stung by the release of highly confidential material, are going back to pen and paper, particularly with respect to state secrets. Germany his instituted something like this for its most classified documents--especially after Chancellor Merkel had her cell phone hacked by the CIA. The Swiss are considering it. I'm sure there are others. But I doubt the Pentagon is. Too many egos swimming with too much money for that kind of situational humility to take hold.
5
"Last week, Bloomberg reported that China inserted eavesdropping chips into hardware made for American companies like Amazon and Apple."
How did I miss that? China has both the means and the motive.
I was a director at a very large tech company. I know firsthand how easy it would be to do this--in a $1,000 Apple phone or a $60 Alex-enabled microwave.
This has now become a serious risk (and cost) that is directly associated with the decision to manufacture in China.
Your recommendations in the areas of regulation, standards and general government competence are very good. But how will they ever come to pass given that the present administration is recklessly anti-regulation, disingenuous about everything, and off-the-charts incompetent? Is that the most pressing question?
12
@Robert
They don't care one way or the other. Grifters aren't thinking about consequences, just being able to make an easy buck off of some rube. Unfortunately, the rubes are us.
1
To be fair, there aren't many problems the market does solve. But it sure creates plenty of them.
17
Financial products as a model of effective government regulation is really what we’re going to go for here? Really?
4
@Eve M
Ever hear of the Consumer Financial Protection Bureau (before it was gutted by Trump/Pompeo)? They forced Wall Street to stop making customer-fleecing a business model. It saved and clawed back billions from the financial industry in the 4 years it was active.
4
People looked at me like I had 3 heads when years ago I told them it was illegal to ask me to "uniquefy" myself by giving them my social security number (for credit cards, etc.)
I program. In multiple languages. Folks are in love with their cellphones and computers and streaming, etc. Now we are asked to provide our phone numbers, the "3 digits on the back" of our credit cards, our email addresses, etc. Phishing is identifying COMPLETELY who you are. Phishing is phishing. The internet was originally designed for survivability on the battlefield. It was not designed, at the time, for security. Security is a bolt-on that most people choose to ignore. FB and Twitter were, and are, and always will be TREMENDOUS violations of privacy. Privacy? What's that?
15
In this age of Tea Party (aka Republican Party) tearing down any fence (regulation) that hampers (costs) business in delivering profit to its shareholders, just how will this necessary regulation of the tech industry occur?
6
Instead of proposing that the already overcharged consumer pay for whatever better security technology is needed, how about taking the position that the makers and sellers of the devices should lower their prices since they haven’t done the job adequately ?
7
@R.Singer
Or asking millionaire stockholders, board members, and company leadership to return some of their obscene profits to the companies they loot for REINVESTMENT into all that’s still lacking from their products and services.
Real businessmen from another era weren’t adolescents chasing immediate gratification of quarterly profits; they were mature leaders who had the patience and wisdom to take their profits and reinvest into the company, it’s employees, and products for the long term, as in ten and twenty years out. That’s what made America great.
11
"The primary reason computers are insecure is that most buyers aren’t willing to pay — in money, features, or time to market — for security to be built into the products and services they want."
Hmm. I can't remember ever seeing any computers advertised as "more secure'. I suspect that this was a decision made by the tech companies - and the author likes to victim blame.
"Second, we need regulatory agencies to penalize companies with bad security, and a robust liability regime."
You're kidding, right? Our politicians, enacting functional regulatory agencies?
I think this article is one of those Onion-type spoof articles to brighten our Thursday.
5
@Ed Watters
Um, yes. Ever hear of the CFPB (Consumer Financial Protection Bureau)? Google it to find how many billions it saved consumers in regulating financial instruments offered to the public, and clawed back from Wall Street caught in the act of customer-fleecing as a business model for the 4 short years it existed (before Trump and Pompeo gutted the agency)
4
A large part of the problem is the large number of users who know very little about securing their own computing devices and communications across the internet, such as using encryption. Education can go a long away to improving security.
7
Going up a few thousand feet and looking at our ethical state of affairs, we need to take a look at what has happened to us as a nation from that standpoint.
Whether you look up, down, or sideways, every problem you encounter, at the foundation, is one of ethics. Corruption has corroded our politics and our business.
When talking about the changes that we've gone through over the last few decades, we mostly hear about Ayn Rand and the influence she's had over conservatism. While she's influenced the thinking of many, we should talk far more about the influence of Milton Friedman on corporate ethics and on our politics as a whole.
More often than not, observers will parrot the view that corporations' sole responsibility is to their shareholders. That view, more often than not, will come out of the mouths of people on both sides of our divided political spectrum. That change in view began with the publication of Friedman's Capitalism and Freedom. The changes resulting from it have caused this nation far more harm, in my view, than the horrible views of Ayn Rand. https://wp.me/p2KJ3H-1DG Business ethics before Friedman were polar opposites of what they are today, as imperfect as they were.
Government should play as large a role as it used to in developing technologies. Government should regulate Tech (Apple-Facebook) and ensure their products not only comply safety-wise, but ethically, too.
---
Things Trump did while you weren't looking
https://wp.me/p2KJ3H-2ZW
20
And in an environment wherein the unschooled easily buy the trope that government regulation is always a bad thing, good luck with getting the government to step in, as it should, to protect us all.
5
@Rima Regas ABSOLUTELY!
1
@Rima Regas I think that, unfortunately, the views Friedman expresses as to corporate responsibility are as much descriptive as normative. Corporations will act that way whether they ethically should or not.
Corporations are not immoral; they are, at base, completely amoral. They have no moral compass whatsoever and the people that operate within them are compelled to put their own moral compasses on the shelf.
The only way we can be assured that corporations will act in the public interest is regulation with enforcement sufficiently pervasive and with punishments sufficiently severe to assure compliance.
A good illustration of this issue is provided by Tesla. Consumer Reports tested one of their models and found braking distance to be unacceptably long. Musk contacted them to understand the issue - he was very open to their concerns. Within a few days Tesla sent an update to the car computers over the air which reduced braking distance considerably. Now, that's amazing in a number of ways. However, that same magical system can be hacked to reverse that fix and even lengthen stopping distances. That would be disastrous.
For me the benefit-cost ratio of the internet went negative when it became clear that hostile nations can interfere in democratic elections. That's going way way too far. Real-time inventory, email, current weather in 18,000 cities, stamps.com - none of that is worth it.
28
The boat of Internet security has shipped a long, long time ago.
The best we can do is to mitigate the consequences of security breaches. It should already be cost of doing business by now.
8
@Dora Minor
Who ships boats?
A co-equal part of "computer security" is the "network". The Internet largely runs on IPv4 protocol, and while a upgrade to IPv6 was formalized 20 years ago only 10% of network traffic uses this more secure protocol.
IPv6 is needed for it's larger address space; to connect trillions of IOT devices that are coming, but it also brings with it the ability to restrict access to an endpoint (compute device) to known and trusted devices. This in turn requires international and national "naming authorities" to authenticate endpoints and eliminate spoofing.
9
@OSS Architect and for ISPs to actually roll out working IPv6 on their networks.
Several US ISPs are lighting up some very buggy IPv6 networks. We also need some global test suites that validate networks and networking products are conformant and secure.
7
In my world of fantasy, I see private computers equipped with a device that allows their users to destruct the hackers by remote control. In real world, I use Internet only for essential information searches and never for any personal financial transactions.
5
Seems counterintuitive that electronic security needs more govt regulation to protect individuals -- but the author is right.
7
Do we really need toasters that rely on the Internet to operate? Or refrigerators that order butter when we're running out? Not only does the so-called "Internet of Things" present a security risk, but it's also an absurdly extravagant boondoggle in an era when we really need to scale back on consumption of all types -- especially the energy that powers the giant server-farms the Internet depends on.
See the IPCC's latest report on climate change which says that the world has 12 years to turn around our trajectory of rising CO2 emissions -- lest we unleash the monsters of runaway global warming. Why are we doubling down on frivolous, ultra-complex, energy-hogging technologies, instead of speeding a transition to simpler, greener lifestyles? Do we really need Internet-connected robotic vacuum cleaners?
110
@ando arike A green power network has to rely on small distributed power sources (think solar & wind) and a very complex and dynamic network that will have to be very intelligent. It won't be possible without things like smart meters and water heaters. Unfortunately we can't deal with global warming without "internet of things" technology.
7
The solution is so simple it hardly bears mentioning: Nothing, except a computer specifically meant for internet access, should have a physical connection (wired or wireless) to the internet.
39
@Jonathan Katz
You would be overlooking security and alarm systems, programmable traffic lights and cameras, EMTs transmitting crucial patient data to the hospital, and a host of other important applications. Things have gotten much more complicated and technologies much more interwoven much of which is vital and/or improves our daily lives. We need to do better though.
13
@Jonathan Katz, nice advice but impractical. We all have "smart" phones (quotes intended) various Pads and I can't do without my TiVO. Besides, your Internet activity via a browser is no longer unwatched. Tracking and persistent cookies and other real malware can track us through any web page. I use a lot of blockers and clean the four different browsers every now and then but it is just a lot of work.
On the other hand, I bought various not so smart products from Google and Amazon that I have not bothered to take out of the packaging, its gathering dust. I don't need Alexa, Google whatever or Apple product listening and watching my every conversation and following me around just to sell me stuff. I might buy these types of products from a manufacturer who can assure me and independently verified that there is no tracking or data saved to some server in the "cloud" to be sold to any ad company. Until then I'll exercise some caution.
Everything is networked for a reason.
Fortunately, we can rely on the "very smart" occupant of the White House to act fast, allocate unlimited resources to this, and put the best people in charge!
40
Software vulnerabilities are actually a very small, but dramatic, portion of all the malicious hacking that goes on. They make headlines often because, as noted, once an exploit in a system is discovered it allows a single bad actor to affect millions of devices at the same time.
Much less newsworthy is the fact that ordinary users have their passwords cracked or phished in simple scams every single day. This accounts for the vast majority of malicious hacking that goes on, in fact. Much of the data that is leaked or stolen is done so by simply logging into a secure system using a stolen username and password. The end user is the weakest link in any security effort. Training end users to recognize phishing scams and practice good password habits creates a strong front line that will reduce the total incidences of hacking. In that respect the law in California mandating strong passwords is a step in the right direction.
As for software flaws, I am skeptical that government oversight will accomplish anything that the market hasn't, while being slower, more expensive, and far more heavy handed in its approach. That's not to say we shouldn't use the government to get some stuff done that should've been done ages ago.
The idea of legislating best practices into law, like California's password law, is probably the least obtrusive way to do this. Good security standards already exist, they just aren't enforced by law, so I think we should start by changing that.
5
The costs of hacks are not borne by the people who buy the hardware. When a credit bureau loses my data, I spend the rest of my life guarding against identity theft, not them. They actually have a package to sell me to protect myself against the results of their breach.
It doesn't help that my social security number is both my username and password for many critical transactions, and I can't change it.
54
The author didn't mention the ubiquity of malware-loaded phishing emails, which are the vector for nearly 95 percent of the damage done!
Having a solid security system isn't going to help when a human employee is the weakest link --- unknowingly lured into clicking on a criminal or nation-state malicious link and downloading the latest in ransomware, credential harvesting and other devastating scams.
It's vital to have technology-based anti-phishing resources in place to prevent these vicious fake emails from getting into inboxes with their clever spoofs and near-perfect impersonations. Stopping phish is key if we're to be anything like secure. And training employees to spot a fake email just fails much of the time.
When it takes just one phish to infest a whole company, this problem is urgent.
12
@Trista The author was talking about IoT which typically is not subject to phishing attacks. In the author's example a new "Internet" refrigerator would not have an email address and hence not vulnerable to a phishing attack.
I believe Mr. Schneier's point is that the free market has failed in providing incentives to encourage sellers in developing secure products. In this case it is the government responsibility to set minimum security/privacy standards that are enforceable through fines or allow civil actions in court.
14
@Trista
While phishing attacks are currently responsible for most user level breaches, people will eventually become smarter about spotting them (or a tech. solution will spot them for the user). What experience has taught us is that the perpetrators will simply use another vector of attack.
6
For a start, those who hold sensitive data must be held much more accountable as a strong incentive to adopt best practices.
What happened to Equifax when it collected so much data on all of us without our knowledge or consent, then got hacked? Not much of anything. CEO Richard Smith retired with his full $90 million package, nobody was prosecuted and nothing changed. The only consequences were for us, the victims, who had to deal with the fallout. What message does that send to this industry?
Technological improvements are important and they will come, but holding people accountable can be done much sooner and will certainly encourage more responsibility.
83
@Pat I agree with your sentiment but in practice setting security standards and accountability is extremely hard to do. I agree with Mr. Schneier that the federal government has to take the lead here. But politically I can hear it now, "Regulation is killing our industries... reduce government regulation!!!"
1
For over a century, we've looked for the Underwriters Laboratories label on appliances and other home products as a way of trusting that when used as directed, they wouldn't burn our houses down. Perhaps something like that is needed for network connected consumer products.
Mr. Schneier is not being paranoid here--his is not the same thinking that made many of us worry that Y2K could be the end of civilization. The vulnerabilities he describes really do exist, and I'd hazard a guess that they exist in at least one of the devices that got this message from my keyboard to your eyes.
Until the security of devices, as well as the internet itself, is vastly improved, when you hear the term "Internet of Things", pronounce it as "Internet of Insecure Things".
56
It poses a bit of dilemma to recommend government oversight when it's been proven that the federal government is not very savvy about technical security either (see article link) or witness the hack of the US Office of Personnel Management. The NSA relies on undisclosed software flaws to infiltrate other countries' systems so how exactly would government regulation work if one agency is trying to prevent hacking while another agency depends on it?
I agree that today's caveat emptor approach in the US must change but we don't even have the leadership wherewithal to stop robo-calls let alone more sophisticated cyber attacks. Nothing much is going to change (like a lot of things in this country) until the body count starts piling up.
https://www.nytimes.com/2018/10/10/us/politics/hackers-pentagon-weapons-...
23