back to article Government regulation will clip coders' wings, says Bruce Schneier

Government regulation of the Internet of Things will become inevitable as connected kit in arenas as varied as healthcare and power distribution becomes more commonplace, according to security guru Bruce Schneier. “Governments are going to get involved regardless because the risks are too great. When people start dying and …

  1. inmypjs Silver badge

    More Hype

    Sounds like more IOT hype just not from the usual suspects.

    Can't say I am that worried about IOT security because I still can't imagine a thing that I would have any real use for.

    1. Stoneshop Silver badge
      FAIL

      Re: More Hype

      And you won't be affected by the insecurity by others' use of IoT (including public services). No. Definitely not. Nuh-huh.

      1. Destroy All Monsters Silver badge

        Re: More Hype

        You will meet Doctor IoT at the hospital. You can be sure of this.

  2. Pascal Monett Silver badge

    I perfectly agree with Schneier

    We are witnessing the origin story of the Butlerian Jihad. In real time.

    As for me, I am already dead against IoT and I will ensure that neither my fridge nor my toaster nor anything but my PC will ever, ever be connected.

    Not without a T-1000 acting as firewall. Emphasis on fire.

    1. Justin Clift

      Re: I perfectly agree with Schneier

      Wish it was that simple. Unfortunately our power outlets are networked through our houses, and on out to the power utility infrastructure. They're all perfectly capable of carrying data.

      No firewalling that yet. :(

      1. Baldy50

        Re: I perfectly agree with Schneier

        An inductor calculated to attenuate the frequency used in communications to an unusable level placed in series with both current carrying conductors?

        Physically disabling the device in questions ability to communicate and WI FI too.

        Just a thought.

        1. Richard 12 Silver badge

          Re: I perfectly agree with Schneier

          The inductors needed to attenuate powerline networking are really huge, and so very expensive.

          Back before there was an EU standard written, we did some testing and it turned out that the only affordable way to block powerline is the local substation or pole-top transformer.

          Which actually doesn't work anyway because the radiated emissions are such that it's basically wifi.

          1. Steve D
            Meh

            @Richard 12

            "The inductors needed to attenuate powerline networking are really huge, and so very expensive."

            Really? I fitted a simple mains filter from RS as part of my PC's mains conditioner. When plugged in after it, the powerline networking totally fails. No other unit sees a signal. When the powerline adaptor is plugged in upstream of the filter, it works fine.

            1. Anonymous Coward
              Anonymous Coward

              Re: @Richard 12

              That's the above-the-board powerline networking. Think of the secret stuff that can disguise itself and operates outside your filter's frequencies. Or think hidden whispernet chips that don't need wires at all.

          2. energystar
            Coffee/keyboard

            Re: I perfectly agree with Schneier

            If you can't clean, then dirt it a lot more.

        2. Charles 9 Silver badge

          Re: I perfectly agree with Schneier

          "Physically disabling the device in questions ability to communicate and WI FI too."

          It'll reach a point where you can't kill the communications capability without killing the device itself. AND voiding the warranty.

      2. techulture

        Re: I perfectly agree with Schneier

        A jammer disguised as a cheap, "badly shielded" chinese appliance?

    2. allthecoolshortnamesweretaken

      Re: I perfectly agree with Schneier

      And who is coding the software for your T-1000*, OS and all, and reviewing the code?

      *Which is also a part of the 'Internet of Things'

    3. Dave_uk
      Facepalm

      Re: I perfectly agree with Schneier

      "I am already dead against IoT and I will ensure that neither my fridge nor my toaster nor anything but my PC will ever, ever be connected."

      What about your smartphone? Oh yes thats OK!

      What about your TV? Oh, forgot about that, what else too....

      1. Pascal Monett Silver badge

        Re: What about your smartphone?

        I believe they are covered by that sentence that includes "nor anything but my PC".

  3. Anonymous Coward
    Anonymous Coward

    The man's an incorrigible optimist

    The choice is between smart (well-informed) or stupid government regulations

    Evidently he's not got much experience of the British government, where our choices are going to be between really stupid and bloody stupid government regulation. Our political decision makers are intellectual lightweights who know so little about IT, science, technology, or even business that failure is baked in to everything they touch.

    1. sysconfig

      Re: The man's an incorrigible optimist

      Evidently he's not got much experience of the British government

      I think he's well aware of it, not least because he used to be employed by the BBC. (And the British gov is not the only stupid one in the world.)

      But you don't go on stage at a major security conference and call out the government for what they are. It closes all doors for any sort of communication in the future. So you keep your reasoning along the lines of "haven't lost all hope just yet". Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?

      1. Anonymous Coward
        Anonymous Coward

        Re: The man's an incorrigible optimist

        Who knows, being the renowned security guy he is, he might be hoping to get an advisor role with a government?

        Well, a nice government sinecure keeps the wolf from the door. Take the money, don't do anything, don't rock the boat. If your standards are low enough, working for the government is a dream job.

        But on the other hand, when you look at any of the really intelligent guys who become government advisors, the fuckwits of the establishment ignore their advice, and just keep doing what they wanted to do in the first place (eg, Prof. David Nutt, the late, great Sir David MacKay, and more than a few others).

      2. BebopWeBop Silver badge

        Re: The man's an incorrigible optimist

        I think you will find it was BT not the BBC. Slightly different I think you might find.

        1. sysconfig

          Re: The man's an incorrigible optimist

          I think you will find it was BT not the BBC. Slightly different I think you might find.

          BT of course. Thanks for the correction.

      3. Mage Silver badge

        Re: The man's an incorrigible optimist

        BBC or BT?

        He was employed by BT

    2. energystar
      Windows

      Bruce is an incorrigible optimist...

      On seeing a Path, when almost nobody else able.

      On honest introspection, almost no individual thinks this is going to derive other side, but catastrophe.

      [But money is so strong...]. Who cares about 'individuals'!

    3. a_yank_lurker Silver badge

      Re: The man's an incorrigible optimist

      And the Congress critters make the British look like a bunch of geniuses.

    4. Anonymous Coward
      Anonymous Coward

      Re: The man's an incorrigible optimist

      "the British government, where our choices are going to be between really stupid and bloody stupid government regulation."

      Ah. You should move to the US. Our government has an unblemished record in their IT endeavors.

  4. Del_Varner

    I want a dumb house.

    If something can be hacked, it will be hacked. If something can be used as an avenue for advertising, Google, Facebook, Amazon, etc. will use it and will have sneaky Terms and Conditions to allow it to take anything they want.

    1. Stoneshop Silver badge

      Re: I want a dumb house.

      My house will be reasonably smart, but as such not connected to the Internet. Its smarts are autonomous and self-contained, with its own sensors and such.

      1. energystar
        Gimp

        Re: I want a dumb house.

        "My house will be reasonably smart, but as such not connected to the Internet."

        Fifteen cents the 'chip', plus antenna. Who needs to warn You, miserable consumer?

        Better get a good radio scanner.

        God! WHERE are we going?

        It could pass half a life silent, and when a passing Blue-tooth 'sucking' device Agent pass by....

        1. Stoneshop Silver badge
          FAIL

          Re: I want a dumb house.

          Fifteen cents the 'chip', plus antenna. Who needs to warn You, miserable consumer?

          I do, myself. There are no 15 cent chips (plus antenna) in the gear I use.

          1. Charles 9 Silver badge

            Re: I want a dumb house.

            Wanna bet? It'll be hidden in another chip: more than likely one critical to its basic operation. You won't be able to kill it without killing the device itself. Part and parcel.

          2. energystar
            Windows

            Re: I want a dumb house.

            A DOER! Hopeful you keep opening your stuff and checking. </TrueCompliment>

            [Should check beyond numbers an letters on little black squares].

            My little OS adverts me of Blue Tooth. [Not in the spec].

        2. Vic

          Re: I want a dumb house.

          It could pass half a life silent, and when a passing Blue-tooth 'sucking' device Agent pass by....

          With respect, do you think it's about time you started posting in your first language?

          We might stand a better chance of undestanding...

          Vic.

          1. energystar
            Windows

            about time you started posting in your first language...

            Sorry about that... Will try harder next time. [Because you won't try, on my first language].

      2. Dadmin
        Facepalm

        Re: I want a dumb house.

        Reasonably Smart is the way to go. Back in the olden days I went to a network industry conference called Interop. There I stood next to a very odd, but very real Clifford Stoll (https://en.wikipedia.org/wiki/Clifford_Stoll) and another famous network "celebrity" the original Internet Toaster (see https://en.wikipedia.org/wiki/Simon_Hackett). Anyway, I saw the toaster and thought; how fun! It was a laugh, no one expected there to be IP-ladden toasters with RJ-45 connectors next to the Dark/Light knob. But who knows? Now they are coming, and consumers will probably buy them, and make some toast with an app, and have a laugh. But do we really need all appliances working on my internets, then perhaps connecting to the real Internet? (Hi, again elreg. why is it Internet-of-Things, and not internet-of-Things? surely, you have time to hit the shift key for THAT?! :P) Does my TV need an Internet connection? Sure if I want it to view Hulu or other built-in apps, that would be fine, I guess, but I already have dedicated products for that, and with the state of crap firmware and the need to always update, perhaps I'm better off with a dumb TV and smarter, yet controllable smaller devices.

        The IoT, or ioT for elreg, is a dream for hardware designers who want to make a thing "smart" at the expense of dumb consumers who think they need that level of control over their devices. However, I think the industry for this is going to come to a realization that most people don't need any of these "smart" products, we just want smarter products and some control over how they gather and send data. There will be a mad dash to get these devices to market before the consumers get wise to the inherent security issues with having a fridge talking to various vendor and affiliated networks for no good reason other than; "oh, you can do your shopping list right from the fridge itself, it scans your barcodes and tells you when you need more milk, and other stupid shit that you could jolly well do yourself, but perhaps are too lazy or stupid." "Lazy and stupid customers!? Where do we sign up for them!" -- Every IoT maker today

        It's all coming soon to a supermarket or electronics store near you. Beware. I'll still purchase a new toaster, but it better be happy with firmware v1.0.0 and never EVER getting to see the light at the end of a VPN tunnel. YMMV.

    2. 's water music Silver badge

      Re: I want a dumb house.

      when I am on my own at home I want to still be the smartest guy in the room

  5. Dan 55 Silver badge

    We’ve allowed programmers to have this special place in society to code the world as they see fit

    Well personally I'd rather do things properly. Businesses decide who does what when and they're not particularly interested in fostering a culture where things take longer than the bare minimum to get done.

    1. energystar
      Linux

      Coders ARE, and have been indolently, unprofessionally, unethically playing...

      “We’ve allowed programmers to have this special place in society to code the world as they see fit,” Schneier said.

      Bruce seems to be not enough advised about the State of Affairs at IT. Coders DOESN'T code the world as they see fit. At least as a profession. Bruce is looking at the wrong side of the Company, Corp.

      On Bruce behalf. Coders ARE, and have been indolently, unprofessionally, unethically playing the card: Did what was ordered to do.

      1. energystar
        Angel

        "Coders DOESN'T code the world..."

        [Easy your worries! Little minions...]

      2. energystar
        Big Brother

        Re: Coders ARE, and have been indolently, unprofessionally, unethically playing...

        Surely Bosh case is minions guilt. Aha! </sarcasm>

  6. Andy Non Silver badge
    FAIL

    Its all depressingly inevitable.

    Sooner or later it will hit the fan big time. Cars will be hacked and forced into accidents, houses set on fire or otherwise damaged. Personally I don't want any IoT in my house, ever; but that assumes that IoT-free housewares will always be available. Most TVs on sale now are internet connected and the gullible public will likely slowly uptake more IoT products over time; they may not have much choice in the end, e.g. so called "smart meters" being forced onto everyone.

    The hackers will range from bored kids having fun messing with your appliances from the comfort of their bedrooms to organised hacking by foreign governments and terrorists. Even "friendly" governments and our own might not pass up the opportunity to eavesdrop on the proletariat via whatever means IoT provides.

    Programmers will continue to be under pressure to churn out code that "works" without necessarily having good security in place. I can't conceive of how secure coding could be legislated, checked or enforced by law.

    Governments will eventually act, in their usual clueless manner, passing laws that miss the point and just make life difficult for everyone. I don't see any happy outcome from IoT. Even if good security is baked in, security holes are likely to turn up and require patching, which in turn opens up another can of worms allowing external access to the core of IoT devices.

    IoT is just a slow motion train wreck, however you look at it.

    1. Andy Non Silver badge

      Re: Its all depressingly inevitable.

      I'll just add that IoT may not just be a metaphorical train wreck, if you end up with IoT embedded in railway signalling, automated crossings and track changing equipment, the outcome may be far more serious. When IoT is incorporated into critical infrastructure, the you are risking more than a "blue screen of death" or system crash.

    2. allthecoolshortnamesweretaken

      Re: Its all depressingly inevitable.

      Yep, one way or another, we're doomed. The irony is not lost on me - civilisation will not end with a bang (aka global nuclear war as envisioned in nearly all the SF from the mid 1940ies to the late 1980ies). It will end with our smart toasters burning down our houses (after ratting us out to the ever increasing surveillance state), with our smart fridges cleaning out our bank accounts by ordering a 100 year supply of groceries, with our smart lawnmowers mowing down our pets, with our self driving cars blocking the roads to hospitals and power stations, and so on. Future historians, if and when a new civilisation arises from the ashes of ours, will call our era 'the stupid times'.

    3. Dadmin

      Re: Its all depressingly inevitable.

      True that!

      I'm a grown-ass-man, and I plan to crack my neighbor's wifis and break into IoT devices with impunity. All because I can, and want to see what is doable in the real world. Information wants to be free.

      1. Anonymous Coward
        Anonymous Coward

        Re: Its all depressingly inevitable.

        " Information wants to be free."

        I think it flows one way: My information should be free to who ever wants it, I should pay for information.

        Unless it's a FOIA request - then I shouldn't be given the information.

  7. Erik4872

    How about professional engineer status for coders?

    In the 20 or so years I've been in the IT field, much of which has been doing systems integration work on really crappy software, I've often wondered why we don't have some sort of PE-style licensing arrangement. This would in my opinion get around "regulations" forcing people to code a certain way, by making individual practitioners responsible for the abominations they write. The second you try to regulate something like coding methodologies, it'll be obsolete overnight. Let's say you're able to replace the hodgepodge of educational backgrounds out there with a reasonable set of prerequisites. Make sure people actually understand what the stuff they're writing does when run on real-world systems.

    I fall into the self-trained camp, but I would welcome the opportunity to make my education more formal. PEs require an engineering degree, experience and a licensing exam as a minimum barrier to entry. I'd say that beats coder bootcamp and stackoverflow reading any day of the week.

    And, as much as malpractice lawsuits scare me, the idea of personal responsibility for bad work holds value for me. One thing about our field that drives me nuts is watching someone screw something up, entirely their fault, then get fired, then land another job a week later with a hefty raise. Mistakes shouldn't be able to be covered up by cleaning up your resume and applying somewhere else.

    1. Andy Non Silver badge

      Re: How about professional engineer status for coders?

      It would also require a shift in management policies. Programmers often work to a list of priorities and deadlines specified by their line manager. Whereas a surgeon who is professionally responsible will take as long as required when operating on his patient, would programmers be given the same freedom and flexibility? If managers prematurely say a project is "good enough" to release before the programmer is happy with the security what then? A programmer who refuses to sign off prematurely may find himself replaced with others who would. Who would be responsible in the event of an IoT disaster resulting in the loss of life? If a programmer is working as part of a team, you could end up having to sign off each line of code you wrote. Which line is responsible for an IoT disaster? It may be far from clear with many interrelated modules developed by many different programmers plus third party software components.

      Also, with much of the focus nowadays being on outsourcing programming to the cheapest programming-factory in India and elsewhere, would there really be the required focus on sound security practices?

    2. Yet Another Anonymous coward Silver badge

      Re: How about professional engineer status for coders?

      PEs also require that you are supervised by a PE.

      So great if you are a mechanical engineer at Ford, trickier if you are at a startup.

      Although it works great for us. It neatly divides each new graduate crop into those that eventually want a nice safe job in local government (where professional status is required for all managers) and so go and work for whatever large utility will tick all the PE boxes. And those that actually want to make something new and interesting.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about professional engineer status for coders?

        "PEs also require that you are supervised by a PE"

        Then who supervises THAT PE and so on up? What about when you get to executive positions and so on who can still dictate terms? Will THEY have to be PEs, too?

    3. energystar
      Headmaster

      Re: How about professional engineer status for coders?

      Could find myself unwilling to agree. Actual Coders lack Enough Science and Engineering Foundations.

    4. dajames Silver badge

      Re: How about professional engineer status for coders?

      ... the idea of personal responsibility for bad work holds value for me ...

      You're not talking about responsibility, you're talking about accountability.

      Making individual developers accountable for failings in their software will ensure that people get punished for doing bad work, but it won't prevent bad work from being done -- just ensure that the same people don't do bad work twice!

      To ensure that a piece of work will be good you need first to have the will to make it good, knowing that it would be cheaper to make it bad. You then need to foster a culture in which quality is a primary goal, one in which short-cuts are NOT taken, one in which testing is part of the development cycle. Everyone involved in a development project should understand what the product is meant to do, what it's for, how it will be used, how its components fit together, what might go wrong with it in operation, and what might be done TO it in operation. Assumptions must be challenged.

      Yes, I think professional certification would be good for our industry if only because it would mean that the people doing the actual work would be able to demand some respect from the people they work for, and having management with the same qualifications would mean that our managers will actually understand what you're talking about when we go to them to discuss technical problems.

      As assumption in mechanical engineering is that madmen with spanners won't clamber all over the machinery undoing the nuts and bolts, yet this -- or something analogous to it -- is exactly what happens in software. We need better defences in software.

      The way to ensure that the defences are built is to make companies -- not individuals -- accountable for the failing of their products. Set down legal standards that must be adhered to, with which individual software and hardware products must comply. Something like a BSI kitemark, but as a legal requirement. It'd add a layer of -- unacceptable, to some -- beaurocracy, but it's the only way to keep the cheap shit off the streets.

      Your new lightbulb connects to the internet? Well, then, it must employ some access control, it must use encrypted connections, it mustn't expose any unnecessary interfaces, it must pass a certain basic set of penetration tests. If it doesn't pass the tests you can't legally sell it. If building it to meet the standard makes it too expensive for the market then perhaps you should have thought of a more commercially viable product in the first place.

      1. Anonymous Coward
        Anonymous Coward

        Re: How about professional engineer status for coders?

        Trouble is they'll just find a country that wants to cheat and use sovereignty against you. Especially if that country is a net exporter of something significant like petroleum...

  8. BebopWeBop Silver badge

    Security by design – applied to cars, planes, automobiles – which is characterised by testing and certification, is going to run into the agile model applied in software security of “muddling through putting it out there and fixing it on the fly”.

    No. Even agile systems require testing and certification if they are going to be accepted by most rational customers. Security by design requires design. You see it's in the name. Not that difficult is it?

    And if you can point at anything more than cursory 'design' in many automobile systems - from the hack able radio keys onwards, please share. Security has to be boiled into the mix at inception - well before you choose your methodology, and then be reflected in that methodology. You can be 'agile' and still maintain a secure system, it's just that it will turn out to be rather more expensive than management would desire.

    1. Charles 9 Silver badge

      OK, how do you design security into a business that's pressured by the investors to get the RoIs quickly?

      1. BebopWeBop Silver badge

        Ummm, well you insist it happens. If they refuse, then it has not been designed in.

        This is a silly question, akin to how do you save the life of someone bleating from the femoral artery if they refuse treatment and set off on the first leg of their triathlon.

        Jeesh.

        1. Charles 9 Silver badge

          No it's not because the investors are part of the problem. And the investors are the ones fronting you, who hold the actual ownership and who can make things very uncomfortable for you if they choose to sell. Most investors these days are short-term. They want everything yesterday or they'll find someone else to back.

          Going back to your example, when someone has a hemorrhage like that, sometimes, you have to intervene even if they don't want to (assuming they're not of sound mind), but if the legal environment is such that attempting to do so could get charges put on you, you're kinda caught in a no-win situation.

          That's the kind of environment we're in: the only way to avoid legal trouble is to stay a course that's can only lead to trouble. Damned if you do, damned if you don't.

  9. richalt2

    the customer is always right

    really this is more about what people choose to buy. you can buy the cheap phone with many bugs, or pay more. You can pass by the Internet entertainment system in the car. There is a place for government regulation when your purchase impacts me. else buy what you want, malware and all.

    1. allthecoolshortnamesweretaken

      Re: the customer is always right

      But if all my choices are between different heaps of shit (in a variety of shape, colour and smell) I still end up with a heap of shit in the end, no matter the budget I can afford.

    2. Justicesays

      Re: the customer is always right

      Turns out their choice of an Internet Entertainment system in their car might literally impact you... with a car.

    3. energystar
      Childcatcher

      Re: the customer is always right

      Your bad car choice [and its software] could end IMPACTING me. No, in real life is usual that customer is wrong. That's why professional services were created.

  10. martinusher Silver badge

    What is the IOT anyway?

    IAs someone who's been controlling stuff over networks since about the time that networks were first invented I find the IOT intriguing.....but then I go and look it up to find out what it is. It seems to be a bunch of marketing types circling the fire, all waiting for someone else to come up with the killer app, plus a handful of things that you can turn on and off (that are functionally similar to the X25 stuff we could get from Radio Shack years ago if a little more expensive).

    As anyone in real time will tell you its no place for 'agile' type development -- R/T methodologies tend to be conservative because bugs have consequences. Security wasn't much of an issue at first because systems were physically isolated but as connectivity grew we became a lot more security conscious. (...and it wasn't my idea to design SCADA systems on the Windows/XP platform, this is the sort of high level 'management decision' that gets handed down to you, a bit like the gathering clusterf**k we call IOT). So if you find your car hijacked then its because you're using rubbish designers, its not a technology issue, and the last thing you need are armies of bureaucrats telling you how to do your job, just more people to actually do the work.

    1. This post has been deleted by its author

      1. Dadmin
        Pint

        Re: What is the IOT anyway?

        I just checked, and my TRS-80 Pocket Computer PC-2 disagrees with you! BASICally.

        (see https://en.wikipedia.org/wiki/Sharp_PC-1500)

    2. Stoneshop Silver badge
      Holmes

      Re: What is the IOT anyway?

      (that are functionally similar to the X25 stuff we could get from Radio Shack years ago if a little more expensive).

      ITYM X10

      Rat Shack is dead, X10 doesn't use the Internet, so it's not Hip Innovative Shit

    3. Bakana

      Re: What is the IOT anyway?

      " if you find your car hijacked " the First question you should be asking is:

      What Idiot thought connecting my Car to the Internet was a Good Idea in the first place?

      GPS? Doesn't need an Internet connection.

      Brakes? Why?

      Steering? Why would you want someone in Russia steering your Car?

      AC? What's wrong with an old fashioned Thermostat?

      Software Updates? That's really something that should be done at the same time as an Oil Change and only by Trusted Professionals. Over the Internet, You Can't Trust it.

  11. John H Woods

    Don't we already have the legislation?

    Negligence? Corporate manslaughter? I'm sure some more resources put into investigation, detection and enforcement might achieve better results than yet more qualifications and rules.

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't we already have the legislation?

      I suspect it's because they tried that and they keep seeming to get off, usually by way of pinning the blame onto the user (PEBCAK), plus they probably have deep enough pockets to "pay off" whoever they need to pay off to get off. How do you combat that when money talks and all else walks? And walking away may not be an option: captive markets and essential needs and so on...

      1. Bakana

        Re: Don't we already have the legislation?

        The Lawyers get paid to convince the Judge that since the words "Computer" and "Internet" don't appear anywhere in the original Law that the Theft or Murder or any other crime isn't covered.

        Never mind that, in many cases, just because a Computer was involved, doesn't mean that anyone who looks can't see that the Crime WAS Committed.

        The very First thing a Lawyer is taught in Law School is "Swallowing Camels and Choking on gnats."

    2. evilhippo

      Re: Don't we already have the legislation?

      Exactly! That would be vastly more effective than yet another layer of turgid regulations and qualification designed (in fact) to keep out innovators and protect established players.

    3. Eclectic Man

      Re: Don't we already have the legislation?

      I expect that there is legislation in the EU and Germany about faking your exhaust emissions tests, but who at VW has actually been proved to have done the coding, and allowed it into the engine management system computers? That shows either an amazing lack of quality control on the software configuration and testing or management interference.

      If anyone has proved anything about a named individual, please post a link.

  12. Camilla Smythe

    Hah! Hah! Hah! #IPBill

    Gov, Tom, Dick and Mrs Miggins get to haxxor it anyway.

    1. Dadmin

      Re: Hah! Hah! Hah! #IPBill

      Mrs. Miggins' Pie Shoppe, now with 10% more IoT in every teacake, scone, muffin, cronut, or pie.

  13. DCLXV

    Hello Warld

    Schneier loves beating on the IoT drum but I don't know if he has made it clear what the REAL problem is here. Insecurity has always existed, the fact is a lot of "real world" shite has been networked going back to the days of RS-232. So, networking a fridge or toaster hardly constitutes a paradigm shift.

    The real problem that is emerging is that software is now far more dependent on byzantine algorithmic processing, with the expectation that more of this somehow leads to the emergence of more intelligent software. Which may be true, in the short term. Some of the most clever software I've seen is barely more than an amalgamation of awful hacks that just happen to work. Anything is possible.

    The real problem that is bound to emerge from this is that when you have a house full of IoT hardware all with local intelligence, in addition to a centralized intelligence managing them, it's virtually impossible for anyone to really determine ahead of time what crazy tangents all this intelligent processing can fly off on when a link in the chain starts to parse dodgy input and include that into its decision-making.

    Imagine the house as a machine and all the IoT knick-nacks as a cog. What if a cog has been feeding the machine a skewed variable for years? By the time the 'brain' component of these increasingly vast, distributed networks figures out that something is OFF in all this complexity, the situation "at the coalface" may have passed the point of discomfort for the victims of these cogs attempting to interact at various stages of obsolescense.

    That is the real danger that lurks in IoT, and it may be unavoidable. My 2c, for your consideration.

  14. Tromos

    "We are going to see...more trusting of the government"

    Altogether now-

    "OH NO, WE'RE NOT"

    1. GrumpyOldBloke

      Re: "We are going to see...more trusting of the government"

      > When people start dying and property starts getting destroyed, governments are going to have to do something,

      No government likes competition.

    2. Charles 9 Silver badge

      Re: "We are going to see...more trusting of the government"

      "OH YES YOU ARE"

      Because the alternative is corrupt corporatocracies that can find their ways AROUND laws. Which would you have have lording over you (and BTW, you WILL be lorded over; your only choice is BY WHOM).

  15. energystar
    Alert

    And then, the blackout...

    "IoT as a world-sized robot that society is building and made up of connected devices that can sense, think and act autonomously." -Bruce Schneier.

    And then, the reboot... WATCH!

  16. a_yank_lurker Silver badge

    Management

    Often the real problem is the various PHBs deciding what constitute good code. Remember that most of PHBs have difficultly turning on their smartphone let alone a computer.

    1. Dadmin

      Re: Management

      It's the kind of sloppy design work that ends up getting shipping in the product because "we had to ship it on <date>." Then the "oh, we'll fix that with a firmware, or other, update" excuses. As an example, when I worked for a game maker, the code HAD to be ready, the content HAD to ship on day 1 with as few bugs as humanly possible, because when you burn a CD-ROM, that's it. You don't get to burn some with fixes and whatnot. You did the work, you test the shit out of it, you golden master it, then ship. On older console systems, you get the code and it never changes. That makes the producer work extra hard to build a error-free product, not "let's just rush it out the door and make some patches later." Nowadays, most everything is "ship that shit, we'll patch it later" and it shows. IoT must do better, or people like me will break it. A LOT.

      1. Charles 9 Silver badge

        Re: Management

        You never saw the Atari 2600 versions of Pac-Man or E.T., have you? Even in the 80's the PHB could dictate terms (like "It MUST be ready by Black Friday or we'll miss the holiday shopping season and lose ALL THAT MONEY!"), and the results could get pretty ugly.

    2. Vic

      Re: Management

      Often the real problem is the various PHBs deciding what constitute good code.

      s/deciding/caring/

      Vic.

      1. Anonymous Coward
        Anonymous Coward

        Re: Management

        No, it was right the first time. If the PHB says so, they usually have the blessing (or ORDERS) of upper management, so it's usually do it OR ELSE. And if you take "OR ELSE," odds are they'll blacklist you to every other related business in town...

  17. Anonymous Coward
    Anonymous Coward

    I was chatting to a friend yesterday about IoT and Smart this and that, and he said "The IoT will be obsolete before it even exists."

    When I asked him to explain what he meant, he said "Take Smart TV's, irrelevant already. Why does my telly need to be smart when everything I plug into it is already smart."

    Valid point, when everything connects to the internet, what will the point be?

    1. Destroy All Monsters Silver badge
      Paris Hilton

      I don't understand.

      IoT devices do not necessarily need to be "smart", they just need to have some kind of control function.

      They certainly will not be "all the time connected". Maybe do some I/O when they have harvested enpugh energy to power on the radio interface. Indeed, it will liked be a security feature to NOT have the damned stuff online all the time.

  18. Anonymous Coward
    Anonymous Coward

    Unreasonable use of the Internet

    I wouldn't expect a bank to send a box of cash to a branch by taxi because it is cheaper, or a hospital to send a bag of blood by the National Express coach network for similar reasons, so why do they appear to think connecting sites using badly secured public Internet links is acceptable.

    1. Anonymous Coward
      Anonymous Coward

      Re: Unreasonable use of the Internet

      Because unlike financial or medical, they're on a budget. Put it this way. Suppose you're trying to transport some blood but you're only given $100 to do it. That's the kind of constraints some people face. And there's no time to argue; you have a deadline; LIVES are on the line.

  19. Destroy All Monsters Silver badge

    Even less Microsoft in the market?

    Good!

  20. David Pearce

    Cars are given as an example of a regulated market.

    Why do manufacturers think it is a good idea to have the ICE, with a Windows OS, to be on the same CAN bus as the brakes and throttle

    1. Charles 9 Silver badge

      Because the customers start clamoring for it and you lose business if you don't comply.

  21. Anonymous Coward
    Anonymous Coward

    The Stupidest Guy In The Room

    The government solution is always to put the stupidest guy in the room in charge.

    Which works out well for them, because they always supply the stupidest guy in the room.

    That's how they create a demand for their never-ending supply.......

  22. razorfishsl

    Good luck on getting this implemented in China...

    They cannot even control the mobile phone markets to ensure software is updated by vendors......

  23. Bakana

    What? When?

    I was a programmer for Years and don't remember EVER being allowed to "Do as I pleased".

    A lot of the stuff I worked on would have worked a Lot Better if I'd had just a tiny bit of input into the actual Design. Managers who know Nothing about Computers or how they work come up with some really Gawdawful ideas at times.

    For Example: "You can't make the Key to that file Unique because That would be telling the Customer how to run his business."

    "But, if it's Not Unique, we'll be forcing them to wade through 30 or 40 different files searching for the One they want. Besides, I'm going to bet that they already have a system of Unique IDs in their Paper filing system that we are replacing or they'd Never be able to Find Anything."

    Sadly, that argument fell on deaf ears and, after the application went Live, the biggest complaint we Had from customers was:

    "Why didn't the system Flag the Duplicates? If I'd known these files were already out there, I'd have been saved a bunch of work."

    Because, guess what?, in an office where 5 or 6 people share the same job, sometimes they don't always realize that someone Else has already begun working on the same file.

    Although there Was one time when I was ordered NOT to fix a coding problem that I'd identified because the guy trying to order me NOT for fix it was one of the people responsible. I decided that, since he wasn't actually my Boss, I'd fix it anyway and see how well it worked. Besides, it was only 12 lines of code. It cut processing time for that application by more at least 60%. After it was implemented, the guy who tried to order me Not to fix it went around to all the bosses and claimed Credit for the fix. The bosses, not knowing any better, gave him a really Nice Bonus for my work.

    Yeah, being able to "Do as you want" is so rewarding.

    99% of the time, you do it the way it was Designed or find some way to talk someone into Changing the design. And then, you have to TEST the daylights out of it until you expose All the idiotic things the Managers inserted into the design because, after all, they have MBAs and always know best...

  24. evilhippo

    "The trouble is we don’t yet have a good regulatory structure that might be applied to the IoT."

    And there never will be.

    The notion something as intrinsically clumsy as state regulation is the answer to such problems is not borne out by history. With state regulation you get the all the downside of the largest and most bureaucratic big companies with the added 'joy' of sovereign immunity, even more remote faceless indifference and about as much ability to quickly change direction as a train on rails. Regulations will be designed so that once (if) the IoT gets going, it locks in the position of existing players and keeps out "dangerous" innovators.

  25. Measurer

    There are standards out there....

    As I've said before on El Reg, European Standards such as EN 62061, 61508 etc. do attempt to formalize the requirements for safety critical software, but there has to be a realization within the software industry in general that what they code (whether that be IoT based remote control stuff or not) may have a real world hazardous effect, and therefore these standards have to be applied. I have worked in the industrial control industry for over 20 years and it really scares me that layers of abstraction between P.C side code (GUI, Vision processing etc.), and the lower level real time systems for controlling motion or I/O, keep the average coder completely ignorant of how a given system works. Yes, abstraction, libraries etc. etc. are vital, but the coder MUST understand at least in some detail, how a control stack works, when the end result of moving a slider GUI element could result in a toaster going into meltdown, be that toaster in the kitchen local to you, or on the other side of the world.

  26. Anonymous Coward
    Anonymous Coward

    BBC or BT (or BS)?

    Ahem, when Mr Schneier 'left' BT, the notice sent round was one short paragraph noting the fact that he was no longer an employee. There was no paean of thanks for all the hard work he had put in and the effort, contribution and progress made due to his genius. None at all.

    His reported speech at InfoSec does not say anything I haven't heard many times over the last few years, yet when BS says it, the world listens, for some reason.

  27. Aodhhan

    Pfffttt..

    With our current crop of politicians... we won't really have to worry about this for another 5 years.

    It only takes about 4 or 5 people to scream loud, and some politician will be the opposition for them.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019