back to article 'Things' on the Internet-of-things have 25 vulnerabilities apiece

Ten of the most popular Internet of Things devices contain an average of 25 security vulnerabilities, many severe, HP researchers have found. HP's investigators found 250 vulnerabilities across the Internet of Things (IoT) devices each of which had some form of cloud and remote mobile application component and nine that …

  1. btrower

    Not surprised, but...

    It is not surprising that IoT devices using the same underlying code and designs as the rest of the Internet have similar security problems. However, before people go nuts saying this is a problem with the IoT and we must therefore stop the IoT, the problem is the security designs and code, not the thing using it.

    The IoT is like the tide. It is coming in and attempting to stop it is futile. A solution based on attempting to stop the IoT (already well underway) is no solution.

    The solution to the problem of our leaky boat is to fix the boat, not to jump in the water.

    1. Will Godfrey Silver badge

      Re: Not surprised, but...

      I disagree. This is a solution looking for a problem. In the average household I can see no practical use-case for this sort of connectivity. Oh it's great to be able to show off to the neighbours, but it gets boring pretty soon - just like most modern toys.

    2. Captain DaFt

      Re: Not surprised, but...

      "the problem is the security designs and code, not the thing using it"

      Yes, and the thing is perfectly functional without all the security misdesigns and crap code foisted on it by the 'LATEST and GREATEST' ballyho bandwagon.

      Timers and thermal sensors control lights perfectly well now (So does a simple off/on switch), and thermostats, refrigerators, toilets, cupboards, washer/dryers, water heaters, etc, etc, work just fine without reporting to Central Advertisement Control and Dissemination.

      Hell, it's possible right now to fully automate a home without ever having a thing in it internet accessible.

      Why does John Q. Public need the 'Internet of things' in his home?

      Short answer; He doesn't.

      Who does? Google, Facebook, NSA, a thousand and one other info slurping entities are all creaming in their Armani suits over the thought of having it in John Q. Public's home.

      Fuck them.

      1. khisanth

        Re: Not surprised, but...

        The internet of things is more than just home automation devices or intelligent appliances, smart mobile phones are a big part of the IoT for example.

        1. VinceH

          Re: Not surprised, but...

          "The internet of things is more than just home automation devices or intelligent appliances, smart mobile phones are a big part of the IoT for example."

          Taking the term 'Internet of Things' literally, my computers, my NAS, my tablets, my PS3, etc are also a part of the 'Internet of Things'. It remains a stupid term - but I think most people think of computers and other, more recognisable computing devices (i.e. smartphones) as things on the internet, rather than on the 'Internet of Things'.

          The 'Internet of Things' - or as I prefer, the Internet of Pointless Things - is, IMO, more about connecting other crap to the internet, that you wouldn't normally think of as a computing device (and on which you probably wouldn't play Doom), pointless things such as light bulbs, fridges, and iPhone users1. You might use your smartphone to monitor and control these things ("Oh, look I can be a lard-arse and switch the light on from the couch instead of getting up and taking a few steps to the switch on the wall"), but that's the only real connection the smartphone has to the IoPT.

          As someone upthread has said, it's a solution looking for a problem, and those of us who choose to can ignore it and just do what we do now, because what we do now works.

          Bah humbug!

          1. Sorry. Haven't had a good dig at Apple users in at least a day. I'm having withdrawal symptoms...

        2. Solmyr ibn Wali Barad

          Re: Not surprised, but...

          "The internet of things is more"

          Sure is. More stuff to sell, more bollocks to tell, more holes for the peeping toms, more data to keep miners busy, more adverts to serve, more vulnerabilities to worry about. Did I miss something? Ah, yes, a little bit more convenience for the lazy. That sure justifies it.

      2. Nick Ryan Silver badge

        Re: Not surprised, but...

        It's easier to understand what is going on and what can be done if you ignore the marketing rebrand that's basically all that IoT is. "Machine To Machine" (M2M), is much less marketing-tard friendly.

        Hence one of the comments above about home automation not requiring Internet connections, just some form of communication medium in the home.

      3. Bruce Ordway

        Re: Not surprised, but...

        >>Why does John Q. Public need the 'Internet of things' in his home?

        but... I think he does want them.

        Due to some romantic notions, ill-informed and/or impulse purchasing.

        The quality of code probably won't bother the companies who produce the gadgets until some unfortunate event brings the subject more attention. Casual users want something simple & easy to access.

        >>Fuck them.

        I agree, but... Most people say I am overly cautious.

        I put tape over the lens of the webcam on my laptop, require MAC authentication for access to my network, etc...

    3. John Lilburne

      Re: Not surprised, but...

      Or we could stand on the bank and laugh as you drown.

    4. Dan 55 Silver badge

      Re: Not surprised, but...

      This consumer society being what it is, I can't say everything's going to be put on hold for two years so that OpenSSL and webadmin interfaces can be fixed in your lightbulb, thermostat, and smart meter.

      Just look at networking kit which has been around forever. Security? We've heard of it.

    5. btrower

      Re: Not surprised, but...

      Wow. For what I would expect to be a technical crowd, there are a lot of people here that are hostile to what is clearly (to me anyhow) something useful and inevitable regardless of how many are in denial.

      At one, point, even though we had the largest private network in Canada connecting 150,000 employees, our network architecture committee thought that there would not be a need for more than 56K lines and that LANs and associated servers and printers were 'a solution looking for a problem'.

      I am pretty sure that some people, never gave up their horses long after cars were a done deal.

      The argument from 'my imagination is limited' is a weak one.

      Pointing out that there are few suitable roads to drive upon did not stop automobiles from spreading like wildfire in North America.

      A networked community of smart devices that take care of one another beats all sorts of disconnected dumb devices, at least in the long run.

      Our current network, by design, makes things all but impossible to secure. However, that is not intrinsic to networking as such. We have a dreadful design.

      If they are serious, I am not sure what the naysayers hope to accomplish. If there are problems to a growing IoT (there are), then we should be focusing on the problems with an eye to fixing them, not attempting to assemble a case for scrapping the IoT. Anything is possible, but the odds of the IoT going away seem vanishingly small to me. If nothing else, evolution will eventually finish off the laggards.

      A properly designed IoT would allow us to catch predators in real time with virtually no compromise of privacy and no chance of dragnet surveillance. Homes would be safer and cheaper. Cars would be cheaper and safer.

      Coordinating activities among devices requires they be able to communicate state somehow and be appropriately responsive to legitimate requests to change state.

      We have a lot of work to do to properly harness the IoT and make certain that the very real dangers it poses are contained. Even if there is a finite chance it can be stopped, the very real chance that it cannot be stopped requires us to act now, while we can, to make sure that whatever rolls out is reasonably under our control.

      The 'IoT' terminology may be irritating to some, but it is an apt name for a converging network of peering (pun intended) devices.

      In March of 2012 I read an article in Forbes where a pundit was sagely explaining how "My internet guru just sent me the arithmetic that shows without any doubt that Facebook can’t be worth $75 billion in market cap– much less $100 billion. At that crazy valuation, it might be the short of 2012."

      I posted a comment and a blog entry disagreeing. "if I could purchase the whole shooting match and had the $75 billion I would put it down in a heartbeat. Your Internet guru sent you arithmetic. Sometimes, it *is* just a simple matter of arithmetic. Sadly, this is not one of those times. This is a question of mathematics."

      What drives facebook is the mathematics of group forming networks. The same math governs a converging network of connected devices. Its value grows enormously as it accumulates more nodes.

      "if someone is coming to you with ... arithmetic ... they have no idea what they are talking about. The value ... is in the network of relationships ... and the value of such a network grows, not with the number of [nodes] N or even some power like N squared or N^10. It grows at the rate of 2^N:

      Not ….. N = 0 – 1 – 2 – 3 – 04 – 05 – … 50 …

      Not . N^2 = 0 – 1 – 4 – 9 – 16 – 25 – … 2,500 …

      But . 2^N = 1 – 2 – 4 – 8 – 16 – 32 – … 1,125,899,906,842,624 …

      My prediction for facebook was a valuation of $100B in 2014 growing to $1T in 2016. Seems a bit agressive, but so far they are just about exactly on track.

      The value of the IoT will grow along similar lines as facebook. Before it becomes too valuable and is locked up by the weasels attempting to gain control of the Internet we would all be well served if the people at least capable of understanding it actually tried to understand it rather than fighting a battle that history tells us they will lose.

      Half the arguments against IoT are arguments against something else. The other half would probably apply to just about any tech we have already passed through, certainly to networks, but likely even to electricity. Here's a few:

      "The abolishment of pain in surgery is a chimera. It is absurd to go on seeking it... Knife and pain are two words in surgery that must forever be associated in the consciousness of the patient." -- Dr. Alfred Velpeau (1839), French surgeon

      "Men might as well project a voyage to the Moon as attempt to employ steam navigation against the stormy North Atlantic Ocean." -- Dr. Dionysus Lardner (1793-1859), Professor of Natural Philosophy and Astronomy at University College, London.

      "There is a young madman proposing to light the streets of London—with what do you suppose—with smoke!" -- Sir Walter Scott (1771-1832) [On a proposal to light cities with gaslight.]

      "The Kölonische Zeitung [Köln, Germany, 28 March 1819] listed six grave reasons against street lighting, including these: ... It will be easier for people to be in the streets at night, afflicting them with colds... Morality deteriorates through street lighting.. [which keeps the weak from sinning]...

      "When the Paris Exhibition closes electric light will close with it and no more be heard of." -- Erasmus Wilson (1878) Professor at Oxford University

      "They will never try to steal the phonograph because it has no `commercial value.'" -- Thomas Edison (1847-1931). (He later revised that opinion.)

      "This `telephone' has too many shortcomings to be seriously considered as a practical form of communication. The device is inherently of no value to us." -- Western Union internal memo, 1878

      "What use could this company make of an electrical toy?" -- Western Union president William Orton, responding to an offer from Alexander Graham Bell to sell his telephone company to Western Union for $100,000.

      "Well informed people know it is impossible to transmit the voice over wires and that were it possible to do so, the thing would be of no practical value." -- Editorial in the Boston Post (1865)

      "Radio has no future." -- Lord Kelvin (1824-1907), British mathematician and physicist, ca. 1897.

      "While theoretically and technically television may be feasible, commercially and financially I consider it an impossibility, a development of which we need waste little time dreaming." -- Lee DeForest, 1926 (American radio pioneer and inventor of the vacuum tube.)

      "[Television] won't be able to hold on to any market it captures after the first six months. People will soon get tired of staring at a plywood box every night." -- Darryl F. Zanuck, head of 20th Century-Fox, 1946.

      1. Mark 65

        Re: Not surprised, but...

        @btrower: Step away from the kool-aid.

      2. Stuart Castle Silver badge

        Re: Not surprised, but...

        btrower, I am personally happy to support change. I just have to be persuaded that the benefits outweigh the costs. No one has managed to persuade me that having my lightswitches and door locks hooked up to a cloud service will give me that though.

        What you say is right, in theory, we do need to ensure that the IoT is properly secured. Bearing in mind that a lot of the products we buy and connect to the internet will be using proprietary software, or open source software that has been heavily modded by the manufacturer, who will be doing that? Do you really think any manufacturer is going to update products that are a few years old? The aformentioned door locks. If someone discovered a vulnerability (and it *will* happen, look at how many car locking systems have been compromised) when the lock was no longer being manufactured, do you *really* think the manufacturer is going to update the software on that lock? At best, they'll patch it so the vulnerability is not so easy to access.

      3. Anonymous Coward
        Anonymous Coward

        Re: Not surprised, but...

        What an excellent post, I really don't understand the downvotes. Perhaps the anti-Luddite filters have been switched off this morning.

        There are of course many potential IoT applications. People's fixation on smart fridges and devices that might tell local burglars when they can pop in are an over-simplification of its potential.

        Good systems shouldn't let bad things happen, but they have to be designed and built by people with a clue, which appears to be a vanishing resource, at least this morning.

        What about better weather reporting, traffic control, public safety, energy conservation and smarter cities (just to name a few) as IoT applications?

        If anything prevents IoT from becoming a force, it will be a lack of imagination and vision. But that will only slow it down, not kill it. Must have been a rough Friday evening for most commentards' brain cells, methinks.

        As Einstein said "There are no limits to human stupidity and the universe, and I am not too sure about the universe"

        1. Solmyr ibn Wali Barad

          Re: Not surprised, but...

          I'm terribly sorry, but I have to downvote your post. Despite having upvoted btrower's post at the time. His comment was emotionally toxic, but to balance it out, it was also long, informative and thought-provoking. Your comment fell a bit short on the second part.

          If you're going to call people luddites, you have to have a damn good argument to support that. Namely, you'd have to show why the IoT push would end any better than previous appliance pushes - which produced untold millions of things that do not work properly, and will never be fixed, because the industry has pretty much forgotten about them. That's the problem. Industry cares about peddling "technology", "solutions", "ecosystems", "architectures", "visions", and so on, and so forth. Not the things that would actually work as promised.

          And in this sense, IoT opens a new can of worms - we can expect a myriad of connected devices that present an active and increasing risk, and manufacturers caring diddly squat about them. Unconnected appliances did not pose such risks - they could be forgotten rather safely.

  2. Cliff

    Use case?

    I'm still trying to work out what IOT is for. The oft-cited fridge reordering milk example seems quite lame to me, and I don't see it as any of my lightbulb's business if my electric car has paired with my washing machine. Either I'm missing something obvious, or this is the 3D of household electrics.

    Either way, the mishmash of protocols is going to harm the market far more than the lack or surplus of uses. Until IOTP://myfridge.mykitchen.myhome/lightbulbstatus.iotb can tell me whether the light bulb goes off when I close the door and the same basic protocol can be used for the TV to ask the thermostat to turn down the temperature when I watch Titanic, the multitude of crappy incompatible protocols makes hardware bought now worthless in a few years. We're at the stage where we have finger, gopher, ftp, etc with manufacturer variations. I can't get excited about that.

    1. smartypants

      Re: Use case?

      Is it perhaps just part of the great effort to "Buy more shit or we're *ucked"?

      Each year, we need to come up with new ways to suck people into buying more shit, as the old shit becomes cheaper and easier to manufacture, or is replaced by shit which doesn't need to be manufactured at all (e.g. cds, videos, books).

      When the luddites were busy wondering what they would do with their lives now that Mr. Mechanised Farm had arrived, little did they know that their descendants would have created new lives out of fondling small slabs displaying flickering images, selling life insurance and so on.

      Tomorrow's generation better bloody well wish the level of their milk carton to be communicated to the Just-in-Time distribution depot, because otherwise... what will we all do!

      Argh!

    2. khisanth

      Re: Use case?

      A large part of the IoT benefit is for the vendor, usage tracking is really important to them from a business intelligence stand point, seeing what what parts of a product are actually being used etc to using that data for billing purposes.

      A lot of IoT use cases will be in the background and not just in the home. Cars, factories, telecoms, mobile phones, air craft the list is endless!

      Information gathering, sharing and analysing is one of the big benefits. for the home user, then right now its just a fancy way of turning things off or on in your house!

      1. Otto is a bear.

        Re: Use case?

        Yup, the more they know about us the more they can tailor the stuff we need, that's what loyalty cards are all about. Just think the NSA/GCHQ will now be able to find out when you are home by monitoring your domestic devices.

        But actually, I can see the point of being able to open the garage doors and turn the lights on as I arrive home. Starting the cooker, washing machine or whatever to coincide with my arrival home or pause them because of a last minute traffic jam, but I don't need them to do it, it's just convenient., and isn't that what most of the last 50 years of consumer device development has been about.

        Just think of all the fun we can have deciding which devices can dial out of the domestic firewall, which BT have now vitalised. I'm a great fan of Technology, if only I could spell IT.

        1. Pascal Monett Silver badge

          "Starting the cooker, washing machine or whatever to coincide with my arrival home"

          Dear God, man, do you really think it is a good idea to have volatile substances or pressurized water released in your absence ? Do you really think that nothing can ever go wrong ? Or that it is a good idea to leave food out of the fridge all day long just you can start cooking it a quarter of an hour before you get back ? What if you forgot to prepare the cooker before you left ?

          Not to mention the fact that, if you can do it from your car, there's a good chance that Mr Hacker can as well, whether or not you're going to get home.

          I prefer buttons and switches, thank you, and I am absolutely not interested in having a Microsoft house that attempts to set fire to my kitchen because it thinks I'm on my way.

          1. Solmyr ibn Wali Barad
            Flame

            Re: "Starting the cooker, washing machine or whatever to coincide with my arrival home"

            "I am absolutely not interested in having a Microsoft house that attempts to set fire to my kitchen"

            There's a bright side, though. We might see that bungling Clippy fried for good, when it attempts to help with the cooker.

    3. TaabuTheCat

      Re: Use case?

      That's easy. So Company X can extract a monthly subscription from you for something that has zero technical need to be controlled from someone else's server. It's yet another race to see who can create the biggest walled garden for no benefit to the consumer. (And data slurping too of course. Icing on the cake.)

    4. Mike 137 Silver badge

      Re: Use case?

      "...I don't see it as any of my lightbulb's business if my electric car has paired with my washing machine..."

      The light bulb, being quite bright, may be worried by the potential nature of the offispring...

    5. Roland6 Silver badge

      Re: Use case?

      The use case is obvious: single technology obsessed males who have no meaningful social life, real world social networking skills and only occasionally use domestic appliances and probably only wears faded 'grey/brown' clothes.

      As soon as you introduce a woman or family into the equation the use case goes out the window...

      Take the washing machine for example, in my household with 2 adults and 2 children, we typically have 4~7 washes per week; the idea that somehow being able to control my washing machine (and tumble drier) via the web is total stupidity: the washing machine doesn't load and unload itself and neither does the tumble drier (or washing line if weather permits); and lets not forget about the ironing...

      No the much cheaper and simpler solution (compared to IoT style solutions) if you are time constrained is to employ a laundry and ironing service: here dirty washing gets magically removed from the laundry basket and transformed into clean clothes hanging up in the wardrobe. The service can work well with only occasional out-of-band communications needed to handle exceptions.

  3. heyrick Silver badge

    StumbleUpon is ruining your site

    There is some sort of problem on their end, so they notify us about this by opening a frame the width of the page, obliterating huge swathes of the content I came here to read. This is obnoxious behaviour.

    http://i.imgur.com/MdR1WhA.jpg

  4. John Smith 19 Gold badge
    Unhappy

    Remind me again why we "need" this BS?

    I don't know.

    1. Anonymous Coward
      Anonymous Coward

      Re: Remind me again why we "need" this BS? @John Smith 19

      The first time I saw something like this was the old "Coke Machine on the Internet" thing in whatever University in the late 90s. Saved tech students getting off their fat arses and waddling across the buillding (probably a couple of short corridors in reality,) only to find out that they'd wasted their journey because their favourite drink was the only one sold out.

    2. John Robson Silver badge

      Re: Remind me again why we "need" this BS?

      I can see use cases for things like washing machines/tumble dryers - I can set them to "run at some point before 7, then do a quick rinse and spin at 7:20" so I can put things on the line when I get up in the morning. Then they can negotiate a time with the power company, so that across the country we have a controlled load throughout the night (and low cost power) - but there is an awful lot of development to make that happen. And even that could be a case of my washing machine making a request: "I want a cheap 2Kw for 30 mins as late as possible before 7. When do I run?" query.

      I can see the "did I turn my oven/hair curlers off" "did I lock my door" being useful, but both of those can be done internally (maybe via SNMP) or over a VPN - with mains plugs/sockets having mains networking available (Does mains networking require the live wire, or is access to neutral sufficient?)

      I can almost see "mains network" light switches being vaguely useful (in a staircase circuit with the physical switch, maybe a motorised dimmer where appropriate) - but really even the IR light switches never really caught on, and despite the "multi control" aspect of smartphones it's still easier to just go and hit the switch.

      1. Mike Dimmick

        Re: Remind me again why we "need" this BS?

        There are two problems with the washing machine scenario:

        1. You have to have already loaded your washing into the machine.

        2. It's not a good idea to leave damp washing in the machine for a long time. It can start to smell fusty.

        I use the timer function on my washing machine to ensure that it's done roughly when I expect to get home from work, or alternatively shortly after I get up in the morning, depending on whether I remember to load the machine before going to bed.

        I can just barely see the use for bringing the finishing time forward if I decide to leave work early, or pushing it back if I'm going to be late, but you'd have to know before it's actually started washing that you wanted to delay it. (Typically not a good idea to stop the machine in the middle of the programme.)

        The benefit to me is tiny, so I wouldn't spend any more on an IoT washing machine over an equivalent non-IoT version, and I certainly wouldn't be looking to upgrade (and get on the upgrade treadmill, to keep up to date with all the patches necessary to ensure that miscreants can't use it to send spam/crack keys/mine Bitcoin - assuming the manufacturers produce them) just for this feature. Given that router manufacturers - producing a vital piece of comms equipment exposed to the public internet - don't keep up on producing patches, I have no hope that general consumer electronics makers will.

        I wouldn't have had the timer, except that since the machine is in the kitchen of my one-bed house with only a worktop between that and the lounge, it really makes too much noise to run it in the evening. Now, a machine that could spin near-silently at 1200rpm, that would be worth having!

        1. John Robson Silver badge

          Re: Remind me again why we "need" this BS?

          "There are two problems with the washing machine scenario:

          1. You have to have already loaded your washing into the machine.

          2. It's not a good idea to leave damp washing in the machine for a long time. It can start to smell fusty."

          1. You'd only set it when you had loaded the machine (exactly as per current timer)

          2. Hence the rinse and spin at 7:20

          It's a marginal case, dependant on a whole pile of development, and probably free electricity for people who allow such scheduling.

          1. increasingly_irrelevant
            Meh

            Re: Remind me again why we "need" this BS?

            I sort of do this for a living and I see four potential areas of benefit, but probably not hugely valuable for most people at the moment

            1) Power and resource saving - turning on and off lights, heating etc. in response to your rules and sensor detection.

            2) Home monitoring and activity detection for the elderly and ill - especially people who are forgetful or have brain injury to safely manage potentially dangerous devices or medications and remind people to do things

            3) User interface simplification - Many devices have timers etc. but embedded systems often have terrible user interfaces (partly becasue thats an added cost) and they are all different - at least with a larger form factor or more familiar UI I might be able to work out how to program the air conditioner etc.

            4) Remote monitoring of system health. Not massively useful but it could be helpful to allow the central heating boiler to tell maintenance people how it is performing, and avoid call out costs etc.

            If you are really concerned about strong privacy then probably none of these are compelling, as a cheapskate I would be concerned with cost, and yes, security is an issue although probably solvable, but there needs to be much more thinking about how to make systems like this secure by default, and simple to set up with security.

            1. Pascal Monett Silver badge

              Re: security is an issue although probably solvable

              The question is not about is it solvable, of course it is.

              The question is how will it be solved, and when.

              And, given the track record security has in the current industry, the outlook is not a happy one.

        2. Roland6 Silver badge

          Re: Remind me again why we "need" this BS?

          >Now, a machine that could spin near-silently at 1200rpm, that would be worth having!

          They exist, I brought mine with a 1400rpm quiet spin from John Lewis back in 2004 and after a free manufacturer's service a couple of months back, I expect it to run quietly for another 8~10 years...

  5. Ole Juul

    It'll be messy

    When the IoT bubble bursts.

    1. Christian Berger

      Re: It'll be messy

      Naw, most of this is outsourced anyhow, and the teams are small enough to be picked up by other parts of the companies. At least with household appliances I don't see any problem. In fact the project I worked on was the 3rd one... the first two failed miserably.

      1. Ole Juul

        Re: It'll be messy

        I was thinking more along the lines that after the bubble bursts there will be an awful lot of unsupported kit out there - much of which might be a liability, perhaps downright useless, without a security or other update. There could be an overload at the landfill.

    2. khisanth

      Re: It'll be messy

      The IoT bubble wont burst, it will just evolve like the cloud. All these things are nothing new. Cloud = mainframe with dumb terminals logging in to use applications on it. IoT = the internet :)

      1. Nick Ryan Silver badge

        Re: It'll be messy

        IoT = the internet

        IoT = M2M - Machine to Machine communications. It's just that the devices might happen to use the Internet to communicate - which is where the serious security fails come from...

  6. Christian Berger

    Having worked at a company which does IoT

    I have to say that you are still lucky if you have a full blown Linux system, as there you at least had a chance. We had to work with Nucleus, an operating system which had it's own "Ping of Death" bug. However to be fair, trying to respond to a 64k ping when you only have 30k of RAM left kinda is a futile task. Then again the code was so bad that every DNS query leaked 512 bytes of RAM. Again you won't notice that on short test runs when you have megabytes of RAM.

    The really big problem is that lots of people who have no idea of secure or even practical software design are now swept into positions where they have to do complex embedded systems.

    1. smartypants

      though to be fair to the developers...

      If we generalise the statement a bit to:

      "The really big problem is that lots of people who have no idea of <their job> are now swept into positions where they have to do <their job>"

      You'll find a lot of this about! (Choose your metier: Head of NHS trust, politician, the person who was sent to adjust the doorclosers in our building and wasn't even capable of that, yet we're not allowed to do it ourselves for elfin safety reasons...

      1. Anonymous Coward
        Anonymous Coward

        Re: though to be fair to the developers...

        One of the key components of being a good engineer is recognising when you aren't capable of doing something the best way possible, and making sure that this is known to your management at the highest level.

        If you can't get support to make the thing the best way possible from within the company, then start looking for other work - I know that's a pretty black and white statement, but there's more truth to it than most people believe. If your company won't support you to do things that make them money properly, then would you expect them to support you in any other area? (health, pay, etc)

        Sadly, as I know only too well, finding other work (with companies who do do things properly) is rather different to just saying it...

  7. Anonymous Coward
    Anonymous Coward

    And that is why

    You do your best to avoid products with closed-source firmware as much as possible.

  8. frank ly

    What Things did they test?

    What Thing might I buy for my home that stores my credit card details, date of birth or name and address?

    If I have a 'fridge that orders milk', surely it just needs a unique account number that my supermarket's server recognises and links to their stored details about me? etc.

    1. dan1980

      Re: What Things did they test?

      @frank ly

      What things (and vendors) need and what they require you to provide are often quite different things.

      The push for data, data and more data is in full swing and every company wants to know as much about you as it possibly can. This is one reason why some big companies are buying businesses that seem to have very little to do with their core products.

  9. Ian Tresman

    Security framework

    Isn't there a security framework that developers can use to help them build secure apps? How about a security test suite that developers can use to make sure they have done the job correctly?

    1. John Smith 19 Gold badge
      Unhappy

      Re: Security framework

      "Isn't there a security framework that developers can use to help them build secure apps? How about a security test suite that developers can use to make sure they have done the job correctly?"

      Hahahahahahahahahahahahahahahahahaha.

      That is all.

    2. Androgynous Cupboard Silver badge

      Re: Security framework

      Hello Ian, welcome to our planet. You must be new here.

    3. Anonymous Coward
      Anonymous Coward

      Re: Security framework

      Hi, yes there are lots of security test suites. The good ones are not free. Theh are run by experienced pen test engineers as a paid-for service. They are generally tailored to the system under test.

      Im not a developer so can't commeng on security frameworks for embedded iot systems.

      1. dan1980

        Re: Security framework

        Yes, there are best practices and guides and test suites and paid-for services that will test for you.

        The problem, however, is that all those things cost money, take time or both, and everyone is in a mad rush to push as much new product as possible. And they all just love having shiny, starburst-backed bullet-point features for their marketing.

  10. Anonymous Coward
    Anonymous Coward

    It's it on the LAN then they don't care?

  11. Valeyard

    tech support

    "hi, i requested an openreach engineer last week and he still hasn't shown up. my fridge has been empty and the heating off for 2 weeks"

    "ok sir i'll just guide you through the manual steps to cook some spag bol. is there a building with big windows and teenagers hanging around outside anywhere near you? good. now start by grabbing your wallet.."

  12. ben_myers

    IoT with Windows? I hope not!

    Geez, and probably few of them are running Windows! But we really need these IoT things. So they tell us.

    Many years ago, legendary blowhard computer columnist and pundit John Dvorak had some words of wisdom about what to computerize and what not to computerize. The quickest summary is to say why use Quicken if you only write two checks a month. Why use a computer when something else really simple will do just fine. Seems to me his thinking applies to IoT, too. As we are all seeing with our computers and tablets, care and feeding of these devices takes a lot of time to download all the Microsoft updates (and reboot, and update again), backing up files to the cloud, applying the latest anti-virus updates and so forth. And where is the time left to actually be productive?

    Now these dolts selling us IoT things want us to believe that they will make our lives so much easier, turning on the air conditioner 12 hrs before we arrive home from vacation, emailing an order to the milkman when we are low on milk, unlocking the front door to the house with app while still in the car because it is raining cats and dogs, and taking over many of the other mundane and simple tasks that fill our lives. All we need is to have someone hack our IoT things, get the temperature in the house down to 5 degrees C on a 30 C day, unlock the front door and loot the house. Betcha IoT things will be sold just like Windows with a loud disclaimer absolving the sellers of any responsibility just in case something goes awry. This is something I do not need, and you probably don't either.

  13. Anonymous Coward
    Anonymous Coward

    Depressing

    I must admit I had hoped for a rather more positive attitude to IOT on El Reg.

    This technology is here and yes at the moment the devices are more expensive and bought mainly for the "look what my fridge can do" factor, but in time this tech will work it's way into pretty much everything and become mundane, look at car diagnostics, pretty much a standard feature now, 20 years ago most video recorders flashed at 12:00 because most people couldn't handle setting them or didn't want to, and tuning them or setting record times was a dark art, their successors like DVR's now go out and set that information themselves, smart tv's now give access to a much wider range of sources of media than were available before.

    I see big benefits ultimately for security and energy usage, systems that will turn off that light you left on or sounding the alarm if someone enters your house or warning if a fire starts are obvious benefits, as well as giving more information on what devices are consuming the most energy in your home.

    Like any immature technology there are going to be flaws and security issues, not many companies are going to throw big money or development effort at these things, as like many on here their management probably figure "ok we'll make a few, some nut or geek might buy it, but personally I'm doubtful, but hey it makes us look innovative", in time some engineer will build this stuff into the more mundane and it will trickle down into everything we use, the useful will be adopted and be perfected the rest will die by itself.

    1. Pascal Monett Silver badge

      Re: Depressing

      You had hoped for a more positive attitude ? On the forums of a site that says it bites IT ?

      If we are not positive (generally speaking), it is because a lot of us work in IT and we see how it is done, especially at the decision-making level. Then we run this fad against our reality-checking process and the result we see sends us to our nuclear fallout shelter.

      But hey, go and be part of the live bug testers. Somebody has to do it, after all.

      1. Anonymous Coward
        Anonymous Coward

        Re: Depressing

        I work in IT, in tech support, and for 29 years now, and yes support guys are the biggest pessimists going, but that's not to say I dismiss every new development out of hand, I worked for a large telecoms provider at the time the iPhone came out, people forget how truly disruptive it was at the time, yes there were other touch screens out but the interfaces were truly horrendous, and the design that was getting the most praise before that was the Blackberry. The iPhone type phone was ridiculed as crap, a fad, etc....until sales went through the roof, my particular company were then scrambling to play catch up and most of those who didn't change are now being bought up by other companies.

        I started in IT when everything was green screen, and sure I'll use command line if the task warrants it but I'll also use GUI's, if holographic Minority style report interfaces or thought control become viable and useful sure I'll use those too, rejecting new ideas or technology isn't due to being in touch with reality it's more to do with having a lack of imagination or reluctance to ditch what you know, sure the initial stuffs crap, but someone has to push it forward, if you're content to sit on the fence and let others do that then fine, I've seen plenty of people in this business who had that attitude, they got retired off with outdated skill sets decades ago.

        1. Pascal Monett Silver badge

          Re: I work in IT

          It seems we agree that someone has to do it.

          It also seems that if one is not willing to hand over his private life to potentially dodgy security systems without any guarantee that it works, then one is "outdated" and only good to be put out to pasture. It's the new version of "if you're not with me...".

          Well put me out to pasture then, neither of us will miss the other.

          However, you will have to agree that things are not getting better on the Internet. We saw Google go from benign to worse than Microsoft. We saw Facebook blatantly and publicly make every possible move to invade user privacy and the sheeple keep using it. Now we are witnessing the creation of a new invasion path that is going to put Internet surveillance inside our very real life.

          Excuse me if I am not 100% confident that marketers or insurance companies are not going to get their grubby mitts on that data and use it extract yet another pound of flesh from me.

          I'm done believing that the Internet is a benevolent entity only preoccupied with my well-being. The Internet is now a digital slum. The only people I trust are the ones I know personally. The only sites I have a modicum of trust in are the ones I have been visiting for ages already. Everyone and everything else is the enemy until proven otherwise.

          Especially corporations and their marketing.

      2. btrower

        Re: Depressing

        TL;DR can be hilarious and I expect that someone will take the low-hanging bait provided here. However, I am not sure I want my systems designed by people for whom 'TL;DR' is a pithy response to text that, for them, is simply TL. 'Did not Read' ('DR') is operationally equivalent to 'Cannot Read' ('CR'). . If you have not actually read and comprehended what you are responding too, I expect your range of responses is going to be a bit limited. Should people who effectively 'CR' be heavily involved in technical decisions about systems design? Perhaps, but I would be inclined to look to someone effectively capable of reading for confirmation.

        'N of one' examples are fine as illustrations, but they are not good as evidence. If you never read anything longer than a paragraph, your knowledge of things would tend to be limited.

        The choice is not between an Internet of Things or 'not' an IoT. The choice is between an Internet of wild, stupid, dangerous things or an Internet of tame, smart, safe things. Right now, about half the people here are arguing for the Internet of the stupid. To some extent, if people like that are vocal enough, we will all get what they wished for. That would be a shame.

        The odd thing about this conversation is that the IoT is *already* with us. It is hard to predict novel events in the future, but the increasing convergence of the network is not novel. It is well underway. I wrote about its inevitability myself more than a decade ago. The writing has been on the wall a long time. Factions claiming that 'the old way will never be replaced' have a truly dismal track record.

        I refer again to the mathematics of 'group forming networks' (GFNs). It is not the fact that your microwave is connected to the network. It is the fact that *most* devices are connected to one another and groups of them connect to other groups. Your microwave, by virtue of being integrated into a GFN, can be smarter than you are and it can do this with a brain so small and cheap that neither its physical self nor its cost can even be seen. It can use just about as much brain as it needs for a given task and no more. A disparate network as we have now has most of its capacity evaporate into thin air. With duplication of effort, it is likely using a thousandth, millionth or even less of aggregate network resources. There is more than a Zettabyte of disk space up for grabs just by integrating the network. The IoT can release vast resources already in place.

        Economies of scale allow much better designs and more fault tolerant chips with greater capacity for less money. We could free up enough value to, for instance, help the third world bootstrap its way into the first.

        Connected devices are different in kind from disconnected ones. Groups of integrated connected devices are yet even more different in kind. Lots of synergistic interactions could surprise us with improvements we never even thought of. Text Messages might seem a step backward from voice calls, but they are preferable in many cases, perhaps even most, and they free up vast resources at a stroke. One effect of this is that the world becomes a bit safer. In times of crisis, voice calls could easily jam a network that would be fine under the highest possible volumes of text messages. A smart integrated IoT network would allow, for instance, radically reducing power use in an emergency.

        You don't, as a rule, get a choice as to whether or not there is wiring in your house. It is there when you move in because just about everyone uses it all over the place. You don't specify whether or not your microwave oven has an embedded controller. It has one; the end. Fact is, the choice of whether or not you live in a world of IoT is out of your hands. It is coming and you are going to live in the middle of it. Given that it is coming, you might like to ensure that it comes in good and not evil. Trying to stop the unstoppable is not likely the optimal course to ensure that your needs are met.

        Pretending that it will not come will only make it a little bit worse than it could be, it won't stop it.

        The arguments against are just retreads of the same tired arguments that already have a track record of failure:

        " I’m uneasy about this most trendy and oversold community. Visionaries see a future of telecommuting workers, interactive libraries and multimedia classrooms. They speak of electronic town meetings and virtual communities. Commerce and business will shift from offices and malls to networks and modems. And the freedom of digital networks will make government more democratic. Baloney. Do our computer pundits lack all common sense? The truth in no online database will replace your daily newspaper, no CD-ROM can take the place of a competent teacher and no computer network will change the way government works." -- Clifford Stoll, NEWSWEEK magazine, issue dated Feb 27, 1995

        "After almost 80 years in print, Newsweek is the world’s most widely-read magazine to go completely online. The cover of the final print issue, dated December 31, is a shot of what was its Manhattan office building, with a Twitter hashtag, #lastprintissue, across the front in red." -- Nevil Gibson, "Newsweek bows out after eight decades in print", "National Business Review", December 27, 2012 [http://www.nbr.co.nz/article/newsweek-bows-out-after-eight-decades-print-ng-134273]

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like