Bruce Schneier: IoT + DMCA = More Monopolies, Limits On Consumer Choice (theatlantic.com) 118
New submitter OldMan17 writes: On Dec 24, while many of us were busy in a frenzy of commercial excess and socially-conditioned good cheer, The Atlantic published an article by Bruce Schneier predicting that the IoT will be abused in conjunction with DMCA to make our lives worse instead of better. Some of the precedents he cites are old news, but I expect we will have a lively debate in the comments as to whether the over-arching conclusion is justified by his arguments. When everything is online, laws made for "the internet" suddenly apply to everything.
Re: White People Problems (Score:2, Insightful)
Tl;dr: https://xkcd.com/605/
Actually you misunderstand. Let me provide you with a point, As the demand for internet connected cars increases, you assume it will continue to increase. This is a logical fallacy. Imagine that the rate has increased 1% per year for the last 20 years and is now at 70%. Over 30 years you would expect the trend to continue to 100%. But why stop then? After 40 years you would have 110% demand, which is impossible.
There will be internet-less cars forever. They may decrease in preval
Re: White People Problems (Score:2, Interesting)
General purpose computers are on their way out. One decade or less and you won't be able to buy one. With no spare parts, those still existing will stop working very soon. But way before that happens you won't be able to connect to the internet without a "certified" device. This will happen. There is no way to stop it.
Windows only comeing with lunix locked out befor a (Score:1)
Windows only coming with lunix locked out before any of that and then say go buy to most of the web as they run Linux servers.
Re: (Score:2)
Amazon cloud box != general purpose machine under user control. For now, they let you run pretty much what you want, but that can change at any time.
Re: (Score:2)
Re: (Score:2)
$600 a year for years, and it comes with a kill switch. No thanks. I like knowing my tools will stay in the toolbox where I put them last and I don't like paying over and over for them.
Re: (Score:2)
Not $600. $600 in perpetuity or until they decide to up the license fee. Why do you have this slavish devotion to giving up control of access to things you depend on, and for what? Illusory short-term convenience of always having the latest (possibly buggy or purposely castrated) version? It's a sad state of affairs. If illustrator 7 does what is needed, then why not? If it doesn't, then you've got a point, and maybe it's time to upgrade. At least I'd have a choice instead of paying out for endless treadm
Re: (Score:2)
That's the day you stop using the net and actively work against its tendrils infecting your life.
Re: White People Problems (Score:1)
why have you stopped buying general purpose computers?
and anyway. I don't understand what universe anyone could think this "hue debacle" has in anyway been a good thing for the company which would encourage others to do the same.
that kind of reputation damage to even a well established company gets large portions of staff laid off.
to an otherwise unknown company like whoever makes hue the usual outcome is chapter 11 bankruptcy.
Re:White People Problems (Score:5, Interesting)
You definitely don't need a frigging Internet connected LIGHTBULB.
I have a few frigging Internet connected lightbulbs, and while they are not "needed", they are certainly convenient. The bulb on my porch is controlled by an IoT motion detector, which also triggers an IoT camera, and sends an alert to my cellphone. The bulb in my kitchen is integrated with both a motion detector, and my Amazon Echo [amazon.com], so I can control it with voice. I save electricity, have better physical security, and I no longer have to get up on cold winter nights because my wife hears a noise. If the motion detector hasn't triggered, then I ain't gettin' up.
Re: (Score:3)
Then in exchange for "convenience" (although your setup sounds ridiculous) you give away your rights.
What "rights" have I given away?
Re: (Score:2)
What "rights" have I given away?
The right to privacy, dumbass.
Only in your paranoid fantasy. The lightbulbs are too cheap to contain an NSA microphone. If the NSA wants to spy on me, they would be WAY better off compromising the Amazon Echo, which already listens in and digitizes everything it hears. The IoT lightbulbs add near zero additional threat surface.
Re: (Score:2, Interesting)
You could use a centralized control box for bog standard lamps and cams, too, and get the same functionality. You can also tell your 21st century empowered wife to get up off her lazy ass and check out the noise, but that would require you to have some balls.
Re: (Score:3)
...but that would require you to have some balls.
He does, but they're connected to the Internet.
Re: (Score:2)
That brings new meaning to "hacking 127.0.0.1" now doesn't it?
Re: (Score:1)
You definitely don't need a frigging Internet connected LIGHTBULB.
I have a few frigging Internet connected lightbulbs, and while they are not "needed", they are certainly convenient. The bulb on my porch is controlled by an IoT motion detector, which also triggers an IoT camera, and sends an alert to my cellphone. The bulb in my kitchen is integrated with both a motion detector, and my Amazon Echo [amazon.com], so I can control it with voice.
News flash. Motion detectors do not need the fucking internet to work. They just need motion.
I save electricity.
$20 on your electric bill? Well at least we know what it costs to buy your privacy. Good to know it's this cheap for the average citizen.
, have better physical security, and I no longer have to get up on cold winter nights because my wife hears a noise. If the motion detector hasn't triggered, then I ain't gettin' up.
So, all I have to really do is disable your motion detector. After all, you have "better" security by ignoring it if specific triggers aren't hit.
Re: (Score:2)
Re:White People Problems (Score:4, Insightful)
White People Problems
Regardless of whether you're a white, black, brown, or pink-and-purple-polkadot, Mister Anonymous Coward, you are a racist and therefore part of the problems here in the United States just because you put things in those terms. I'm dead serious. The Human Race in general needs to get over this sort of shit, and if you're black? You need to stop perpetuating your own racial stereotypes, and you need to stop your own anti-white racism, because all you're accomplishing is perpetuating the vicious cycle of racism all around; knock that shit off.
ALL lives matter, not just Black lives, and anyone who doesn't agree with me can GO FUCK THEMSELVES.
Re: (Score:2)
when somebody can say to another person that a friend was arrested/jailed for "X while colored" and be mostly telling the truth ( was carrying a naloxone kit and got busted for "drug paraphernalia")
this is a problem.
but to dismiss this as a White People Problem is not considering that when the IoT comes to your local Dollar Tree/Family Dollar its to late to do anything.
Re: (Score:1)
I have no idea how that got posted as an AC. :/
Re: (Score:2)
Re:White People Problems (Score:5, Interesting)
Here is where things get nefarious. IoT are like social networks. In the past, you could just tell people where to stick it when they talked about their livejournal, MySpace, or Orkut stuff. However, if one doesn't have a LinkedIn account, FB account, and a Twitter account, you will be turned down for jobs.
I know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.
IoT has the potential for being just like that. For example, the Bluetooth deadbolt. It might be that apartment managers and other landlords install IoT security devices because it makes their job easier to lock out tenants being evicted, know who is going into a tenant's place, or to let maintenance in on a schedule regardless if the tenant wants it or not. For more flexible for the property owner, and the tenant would have no choice in the matter.
Insurance can also demand IoT devices, say CCTV monitoring and file storage, or IoT deadbolts and other devices so they can be assured that a property is secured when the owners are away. If this isn't done, they won't renew the policy.
Then, there is the phone home aspect. Pull the internet connection on a modern console, it halts. I wouldn't be surprised if a future HDCP spec that requires all devices to authenticate with a central server for a healthcheck every so often, would require that all TVs and such be always on and in communication. As per the EULA of the TV, video and audio would also be sent back for "IP enforcement purposes". If someone disagrees with that... well, good luck with the no-sue arbitration agreement they agreed to...
Next comes devices. Take the refrigerator for instance. Good luck trying to find a completely mechanical one with a thermostat and compressor that runs for decades. Most have various computer controls. It wouldn't be surprising that IoT functionality is important, and no network connection means the device does not function, especially if the fridge maker starts demanding license keys to activate the ice maker, crisper section, and such.
The key is to not just avoid buying IoT shit, but make it -damn well known- that you will never buy that because you don't want another route an intruder can trespass into your home. Because IoT security is so weak, and there is zero incentive for companies to actually do something about it, it needs to die on the vine.
Re: (Score:2)
Did you sue the company?
Re: (Score:1)
The one he made up because he's frightened that kids these days are Facegramming and Instatweeting and he doesn't like it.
Re: (Score:2)
Did you sue the company?
On what grounds? There are specific laws that prohibit employment discrimination based on race, religion, gender, and a few other specific criteria. Anything else is legal. A company can refuse to hire anyone without a twitter account, without breaking any law. My company refuses to hire smokers. That is legal. As a class, smokers have no rights.
Re:White People Problems (Score:4, Insightful)
Did you fail to read in the GP post that the interviewer told him that he was too old? "Too old" is one of those "few other specific criteria".
Re: (Score:2)
"Too old" is valid only if you're between 40 and 65 inclusive, IIRC.
However, a lawsuit will only work if you can show a preponderance of evidence in your favor, and "he said-she said" doesn't constitute one.
Anything in writing from the company mentioning "too old" would be good, but very few companies are that stupid nowadays.
Re:White People Problems (Score:5, Interesting)
It wouldn't be worth the time, since I found a far better place to be at anyway, job-wise.
As for FB/whatever, I decided to make an account, and keep them around. I now use Twitter for announcing GitHub releases I make. That way, the account is of actual use.
As for IoT, whining about is not going to do much. However, there are a few ways to actually make IoT truly secure... not secure as in the sense of "locking it down" secure... but secure as in resisting unauthorized intrusions, modifications, deletions... the classic sense.
Three ways to make it work:
1: Get some people who know what they are doing, such as Bruce. Make a UL type independent organization whose job it is to check security of products in both white-box testing and black-box testing. Security such as resisting attacks via the network, ease of resetting the device, should the owner lose the password, how firmware updates are handled [1], how the device reacts to intrusion attempts, internal security like chrooting, signed executables, SELinux, ASLR, and other methods. Have the independent organizations's approval a must for the device to be sold. Of course, this invites regulatory capture, and genuine security can easily be perverted into "keeping the user out" security... but anything in IoT is better than nothing.
2: Move to a different topology for IoT devices than having the devices connecting directly to the Internet via a 3G/4G connection or using a Wi-Fi access point. Instead, the devices should communicate on the LAN basis to a hardened appliance... and that appliance does the sending and receiving for the devices. This way, the "smart toaster" communicating to the hub via BlueTooth will be extremely difficult to hack because it sends the user's toaster preferences up through the BT hub, which then relays it through the Internet. Going with a hub/spoke, with redundant hubs possible, would significantly decrease the attack surface of IoT devices.
3: Use the principle of least privilege. If an Internet connection isn't needed (say for a device to work as a remote), use Bluetooth. If the device has to have an Internet connection for updates, have documentation that describes the sites it connects to [2], and what ports that it should be allowed. Anything else should be blocked. The device should even enforce this in its OS firewall (netfilter for Linux, for example) to protect against unauthorized processes trying to get out. If "smart" functionality isn't needed, don't bother with it.
Take the "smart" refrigerator. If appliance companies wanted to make something expensive, why not a fridge with two cooling mechanisms... the standard compressor that plugs into the wall, and an absorption mechanism which can be powered by electricity, natural gas, or propane. This way, if there is a power blackout, the fridge still retains cooling capacity, and with a thermalelectric generator (think a Peltier running in reverse), would have enough power to keep the core circuit board running. I'm sure there would be more demand for a fridge that keeps the food cold if power goes out, than a fridge which can display ads 24/7 on the screen.
[1]: I believe in the old school idea of a physical button or switch that is used before flashing firmware... but this isn't something that can be done if the device is not physically accessible, so maybe a fallback would be some other mechanism. That way if the RSA key is compromised, the vendor can use a different, but still secure, way to get the updates to devices.
[2]: Ideally, it should just fetch a signed manifest via SSL, and go from there. If the embedded OS is Linux, it could even use an existing package manager like Yum or apt so that wheel doesn't have to be reinvented.
Re: (Score:2)
know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.
"Over 40" is a protected class. This is no different legally than an interviewer telling you he doesn't hire blacks. If you didn't just make this up, it's worth suing them.
Re: (Score:2)
Yeah, because non white people don't buy the same damn products.
Re: (Score:1)
Don't forget TPP (Score:3, Insightful)
https://wikileaks.org/tpp-ip3/ [wikileaks.org]
web site take-downs without court orders?
Illegal to modify devices you own?
etc.
Re: (Score:2)
It is a shame that the best way to block this bad idea may be the gridlock in Congress.
Re:Don't forget TPP (Score:4, Interesting)
It is a shame that the best way to block this bad idea may be the gridlock in Congress.
There are many, many good things about gridlock. The only reason I am planning to vote for Hillary in November is because that will ensure that the gridlock continues.
Ministry of Sabotage (Score:3)
Frank Herbert wrote a series of novels and short stories about a future in which the Government had become efficient, and because of that, sorely oppressive. In order to restore basic freedoms, a Ministry of Sabotage was instituted, whose job it was to throw wrenches into Government projects, especially ones that intruded into the basic freedoms of the populace.
Edward Snowden comes to mind...
Re: (Score:2)
I'm sure the members of Congress can put aside their differences and cooperate to screw the average person by giving the big corporations more powers and allowing them to socialize the enforcement.
Vote trump to kill the job killing bill. (Score:1)
Vote trump to kill the job killing bill. Manufacturers already are lining up to send jobs to Vietnam, where the minimum wage is just 52 cents an hour.
Re: (Score:1)
Vote trump to kill the job killing bill.
Bernie and Huck are also opposed. Bush, Rubio, and Kasich are supporters. All the others (including Hillary) have waffled.
The Internet of Things is Stupid (IOTIS) (Score:5, Insightful)
The Internet of Things (IOT) is being driven by commercial interests that are more interesting in spying (known in commercial circles as marketing) and in control. Benefits will accrue, but they will not accrue to the people paying for the gear, which makes the IOT value subtracting for the average citizen.
Re:The Internet of Things is Stupid (IOTIS) (Score:5, Interesting)
People want free things, so firms are going to produce products for this market. People don't understand the technology or how it impacts security or privacy so they sill just buy the cheap or free products. Look at PCs in the 90's. People were fine having malware on their purchased computers if it meant saving $50. For the most part they would not buy more secure computers because they cost more.
Re: (Score:1)
They are expensive and you don't get any benefits.
I have the sum of human knowledge in the palm of my hand, and a kick ass SSH client, to boot.
People don't understand the technology or how it impacts security or privacy
Yeah, they do. Protip: Most people don't give a flying fuck, and are in the right of it for their lack of fucks.
Re: (Score:2)
Smart phones are stupid. they cost privacy and security. They are expensive and you don't get any benefits.
Clearly, the users of these phones think there are some benefits or they wouldn't use them.
And given than the phones *are* expensive (at least the good ones), clearly the users think those benefits are worth paying a lot for.
Re: (Score:2)
Don't get any benefits? Easy text comms in real time in multiple languages is poetry beneficial to me. Mapping and navigation, being able to look stuff up and compare prices in shops... I could go on.
Re: (Score:2)
IoT can be very useful but it needs standards. My house knows what temperature it is inside the fridge freezer and chest freezer out in the garage, this is useful to me, both in the hey my son forgot to properly close the chest freezer or the odd mechanical/electrical failure. It knows if people are home and when people are going to be getting home. It knows when were going on a weekend trip. This can save me money by kicking back heating/cooling hot water (yea I know instant hot water is the rage but
Re: (Score:2)
Maybe, maybe not. The Phillips Hue saga shows that maybe consumers have enough of a voice in this case. The formula which maximises profits involves having a strong enough user base to ride through the losses when you royally screw those users. Google has this. Microsoft has this. Philips didn't. Random IoT startup... unlikely.
I respect Bruce, but... (Score:5, Interesting)
His example of the Hue dustup was a poor, poor choice as example there.
1) Hue bulbs use ZigBee Light-Link Profile.
2) The bulbs (all of them...ALL OF THEM in the IoT space right now) cannot be re-flashed.
3) In order to get a permanent private key for each SKU shipped using ZigBee LL Profile, the devices must conform to the spec and properly interoperate. So, they can't dink with the bulbs, period.
4) The only place you can even possibly DO what Phillips attempted to do would be to dink with the final phases of the LL handshake, wherein the coordinator (the gateway puck) would allow federation with the mesh or not at the last part of the process, based on manufacturer and manufacturer ID, and just drop the federation request on the floor if it didn't match the list.
5) It's not DRM, per se. Worse, it's NOT compliant with the ZigBee spec. Not sure how the Consortium would handle a revocation of things like that, but the Coordinator in that configuration no longer complied with the spec (which is to allow Home Automation and Light-Link protocol devices ONTO that mesh and be able to control them, period.
6) Better yet, there were competing products (Iris, Wink, etc.) that could work with Phillips' crap because of the ZigBee spec. While some of them don't have an "API" to drive it via PC, some do- and moreover, some of them let you have ZB and Z-Wave light controls signal lights on and off or to federate clusters of bulbs with a control panel that acts like a Light Switch. Phillips just simply cut their own throats by trying this. People can go buy up their RGB bulbs or Osram's...and get the same basic functionality as Hue provided...for less money in most cases.
Re:I respect Bruce, but... (Score:5, Interesting)
Not really.
What Phillips did was effectively refuse to send control codes to non-Phillips bulbs. So you could still use non-Phillips ZigBee lights and they'd still help form the mesh network, you just couldn't turn them on or off or dim them or whatever it is that Hue does. And, of course, a lightbulb that can't be made to light is essentially useless even if it is helping your bridge communicate with a distant bulb.
But you're right, you should (in theory) be able to throw away the Phillips hub (the part that communicates from the app to the bulbs) and switch over to a non-Phillips hub and get control of your lights back. Just not with the existing app.
Which means that involves setting up your entire system from scratch, rebuilding everything you had set up in the Phillips app in the new app, and potentially means your physical switches that Phillips sells no longer works.
And, of course, any new bulbs you buy from Phillips presumably won't work with the new bridge. And there may be some "special features" that only work with the Phillips bridge but who knows what those would be.
Re: (Score:2)
I have light sockets that are at this point 20 years old. My parents have ones that are 60+ years old. They *still* *work*.
They will continue to work. IoT lightbulbs screw into standard sockets.
Re: (Score:2)
I really wish we could find out.
Re: (Score:2)
You provide consumers value in order to justify purchasing. Otherwise they deserve to go out of business. Companies aren't owed our money.
Comment removed (Score:5, Insightful)
Re:It will blow back in their faces (Score:4, Interesting)
Unlikely. People won't even realize it. And it will only affect a tiny portion of the people buying those IoT trinkets.
Look at the various devices that are already locked down and sealed. People are willing to put up with it. They buy from the walled-garden store, they buy the printer ink, they accept it. Of course they don't actually know what's going on, and they might even complain and lament, but they buy.
And as long as they buy, the corporations don't give a fuck about the rest.
Re: (Score:2)
Re: (Score:2)
Or so I'd hope at lea
monopoly? (Score:3)
The trouble with ZigBee is that "ZigBee compliant" doesn't mean different devices will actually work together. Z-Wave, a more restrictive and more proprietary system, actually works better. And that illustrates what's wrong with Schneier's reasoning: forcing platforms and protocols to be open does not necessarily make life easier for consumers, because something being proprietary can result in better user experiences, as the owner of that technology has a stronger financial interest in policing it. Apple devices are another example of this. Many technologies that we now think of as "open" started off as proprietary.
Nevertheless, I think the DMCA is overreach and unnecessary: there shouldn't be legal penalties for reverse engineering or making compatible implementations. On the other hand, we should also not mandate open protocols and not scream bloody murder every time someone comes up with a proprietary system or puts up barriers to interoperability.
As for home automation, there is no "monopoly" and no sign of one: there are a dozen different standards, some open, some mildly proprietary, and some completely proprietary, plus hundreds of vendors. Let the market decide which model works best. I don't think it will be full ZigBee, because that "standard" is a mess.
Oh, there's still a choice ... (Score:2)
Don't fucking buy this Internet of Things, crap.
Don't trust that you aren't getting screwed in the deal. Don't trust that your security isn't being left up to some greedy asshole of an MBA. Don't trust that it isn't designed first and foremost for analytics and ads to make even more money for those greedy assholes.
Stop buying into this garbage, you don't need your damned phone to be able to control your lights.
Feel like you're getting screwed in the process? Don't play the game.
Millions of people every d
Patents vs de jure standards (Score:4, Insightful)
I think the SDOs (ISO, ANSI, IEEE, etc) made a fundamental mistake when they decided to accept patented technologies as part of formal (de jure) standards.
If I were King, the FRAND license cost for any patent that appears in a de jure standard would be $0. If the patent-holder won't give up the rights, then the technology should not appear in a standard. Now that clearly would restrict what can be standardized, but that's a tradeoff that both society and patent holders should accept.
(And technology R&D funded by governments should be royalty/license free. DoD certainly used to do that, and look at the advantages -commercial companies- have gotten from the fact that the basic Internet protocols are royalty free/not patented.)
Re: (Score:2)
That's because you don't know how these groups work.
They're a consortium of industry groups who get together to make standards.
Here's how in general it works - if people want to make a new standard, they get together. Each company sends a few technical people to hash out the specification, because every standard is not done for technical excellence, but o
Re: (Score:2)
Well, I've worked on several IEEE and ISO standards projects in software, so I do have experience with the processes.
Standards activities might well be the way you describe, but those I've worked on are not.
Re: (Score:2)
Bruce, get a grip on reality (Score:1)
Bruce, thank you for saying some of what needs to be said.
But please drop the Apple hate—Music downloaded via iTunes can be saved in DRM-free MP3 format, and it has been this way for about 8 years.
And please do not be afraid of bashing the IoT. It is one of the stupidest ideas tht humanity has ever come up with.
No, really, the stupidest. Stupider than eugenics. Stupider than. . . OK, that is about the crown of them all, but please somebody prove me wrong and argue that there was ever a stupid
Re:Reasons why I don't like the Internet of Things (Score:5, Funny)
Internet of Things devices could watch me while I sleep.
So does Santa Claus... So be good, for goodness sake!
Re: (Score:2)
But at least the old fatso doesn't rat you out.
Re: (Score:1)
So does Santa Claus... So be good, for goodness sake!
So is 'Santa Claus' the code-name for the NSA, the CIA, the FBI, or some other government spy-on-citizens 'intelligence' agency? Would certainly explain a number of things.. do you work for them? XD
..but I diverge.
The 'Internet of Things' serves best as an IQ test: If you buy into it, you're probably not very smart; it's a trap, and it's one you pay for to get stuck in. Ask yourselves: Do you really need an internet-connected refrigerator, microwave oven, conventional oven, toaster, dishwasher, clothes was
Re: (Score:1)
The internet of things, to me, is a set of devices and items that are connected to a network and are accessible to me via my own services, should I choose to have them. A network connected fridge that can signal that it is warm on my LAN to have said signal picked up by my HA unit which then messages me is what I envision. No where in that vision does my LAN even need to be connected to the internet proper. In fact, I'd be most happy if my HA LAN was not connected to the internet in any way.
Of course, suc
Re: (Score:1)
If it was a reasonably spec'd out system, you'd just plug and play. All you'd need is a hub or a service running that would interact. Need a new device, add it to the service or hub. It's a pretty simple system, as long as monetizing your activities and data stays out of it.
I'm currently hacking some hardware for just this purpose, only because one is not offered that can run without a cloud service.
Re: (Score:1)
Re: (Score:2)
So, you can't see the utility in:
A refrigerator that lets you know you need to pick up milk or eggs, and lets you know when the temperature is out of an acceptable range (door was left open by someone, or there is a problem with cooling) so that you can deal with it before it becomes a major issue like defrosting the whole freezer full of food?
A microwave oven that sends a text message that there is a problem, or when it is time to clean/disenfect
A conventional oven that signals when the roast is ready
A dis
Re: (Score:3)
Internet of Things devices could watch me while I listen to the Backstreet Boys.
You sick bastard, the Backstreet Boys? Really?
Off with your head.