The Internet of Things is a Terrible Idea (and Guccifer)

Bruce Schneier has an excellent essay pointing out that the “Internet of Things” — the networkification of everything around us, and our increasing dependence on it — is a Chernobyl-level disaster waiting to happen.

The routers, embedded servers, printers, smart toasters, whatever around us use software an average of four years out of date. They’re so riddled with security holes there’s no need for the NSA to install backdoors.

(Which is probably why the CIA has spent the last few years salivating in public over the idea of an “Internet of Things.” No really, even their spokespeople have developed the habit of leaving little puddles of drool by press-conference podiums whenever the topic came up. Rather undignified, really.)

Schneier suggests these devices need auto-update functionality and open-source everything. That’s a start, but it’s basically saying “here’s your new live-aboard submarine, it springs leaks, so there’s a robot to whiz around and plug them. By the way the robot isn’t perfect and some people in the enemy navy have figured out how make it drill holes in the hull.”

In this vein I saw another reference to the disturbingly popular “global brain” hypothesis [1] recently, in the context of the Internet. In light of Snowden’s leaks and Schneier’s observations, hoping for a “global consciousness” via the Internet seems about as wise as building a 55 meter tower on uneven ground in Tuscany [2].

(My opinion is that all forms of “global consciousness” from Marx to Heylighen, being driven as they are by the conscious-or-unconscious desire to subjugate the individual to a larger system, are unnecessary and doomed to fail. But that’s a rant for another time.)

Voting systems have a similar problem.

Let me give you an example. I once had a lively discussion with a cryptographer who’d designed a theoretically wonderful voting system.

I had to hand it to the guy, it was clever. Every hole I could poke in it, he’d already solved in his system. Offline paper verification? Yep. Totally anonymous? Sure. It was solid thinking all the way down, as far as I could tell.

Well, except in one way. Here I was, someone of reasonable intelligence paying close attention and it took a solid 15 minutes for him to explain the important features of the system.

“So wait,” I asked. “John Q. Public is supposed to understand all this as well as they do ‘check a box on the paper’, so they can verify for themselves the system isn’t cheating?”

After all, and I say this as somoene who has complete respect for election observers, with the current system any numbnuts can make sure there’s no funny business. I explained it was hardly reasonable to implement a system where only a select priesthood of people like us would know whether it was actually doing what it said on the tin.


Guccifer: this is very interesting. After a Romanian hacker claimed that Guccifer had a priori evidence of Snowden’s leaks, in an apparently unrelated interview Guccifer displayed (uncharacteristic) extreme paranoia — apparently believing imminent arrest was possible. This includes dreams in which he gets busted by the FBI. (While this latter part is likely a manifestation of paranoia rather than anything ‘real,’ it’s interesting to note CIA hypnotic mind-splitter and telepathy researcher Estabrooks commented the FBI was extremely proficient with “all aspects” of hypnosis. *cue Outer Limits theme song*)

“i don’t know what near future hold for me,” the hacker stated, adding that the thousands of documents were being provided to a reporter “in case I disappear.” Aware that a platoon of federal agents is hunting for him (or her or them), “Guccifer” facetiously claimed to be having dreams “in which a woman is steping up to me saying that she is from Federal Bureau and I am busted.” He added, “meanwhile me trying desperately to erase my files on my computer at my desk or on my smartphone which btw I don”t have because I can”t afford one.”

“The result is hundreds of millions of devices that have been sitting on the Internet, unpatched and insecure, for the last five to ten years.

Hackers are starting to notice. Malware DNS Changer attacks home routers as well as computers. In Brazil, 4.5 million DSL routers were compromised for purposes of financial fraud. Last month, Symantec reported on a Linux worm that targets routers, cameras, and other embedded devices.

This is only the beginning. All it will take is some easy-to-use hacker tools for the script kiddies to get into the game.

And the Internet of Things will only make this problem worse, as the Internet — as well as our homes and bodies — becomes flooded with new embedded devices that will be equally poorly maintained and unpatchable. But routers and modems pose a particular problem, because they’re: (1) between users and the Internet, so turning them off is increasingly not an option; (2) more powerful and more general in function than other embedded devices; (3) the one 24/7 computing device in the house, and are a natural place for lots of new features.

We were here before with personal computers, and we fixed the problem. But disclosing vulnerabilities in an effort to force vendors to fix the problem won’t work the same way as with embedded systems. The last time, the problem was computers, ones mostly not connected to the Internet, and slow-spreading viruses. The scale is different today: more devices, more vulnerability, viruses spreading faster on the Internet, and less technical expertise on both the vendor and the user sides. Plus vulnerabilities that are impossible to patch.

Combine full function with lack of updates, add in a pernicious market dynamic that has inhibited updates and prevented anyone else from updating, and we have an incipient disaster in front of us. It’s just a matter of when.”

%d bloggers like this: