nettime mod squad on Fri, 18 Nov 2016 11:26:03 +0100 (CET)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Schneier: 'The internet era of fun and games is over'

< >

Bruce Schneier: 'The internet era of fun and games is over'

Austin Powell
Nov 16 at 4:31PM | Last updated Nov 16 at 4:31PM

Internet pioneer Bruce Schneier issued a dire proclamation in front of
the House of Representatives' Energy & Commerce Committee Wednesday:
"It might be that the internet era of fun and games is over, because
the internet is now dangerous."

The meeting, which focused on the security vulnerabilities created
by smart devices, came in the wake of the Oct. 21 cyberattack on Dyn
that knocked Amazon, Netflix, Spotify, and other major web services

Schneier's opening statement provided one of the clearest
distillations of the dangers posed by connected devices I've seen. It
should be required viewing. He starts around the 1:10:30 mark in the
livestream below, but we've also transcribed most of his remarks.

Here's how he framed the Internet of Things, or what he later called
the "world of dangerous things":

 As the chairman pointed out, there are now computers in everything.
 But I want to suggest another way of thinking about it in that
 everything is now a computer: This is not a phone. It's a computer
 that makes phone calls. A refrigerator is a computer that keeps
 things cold. ATM machine is a computer with money inside. Your car is
 not a mechanical device with a computer. It's a computer with four
 wheels and an engine... And this is the Internet of Things, and this
 is what caused the DDoS attack we're talking about. He then outlined
 four truths he's learned from the world of computer security, which
 he said is "now everything security."

1) 'Attack is easier than defense'

 Complexity is the worst enemy of security. Complex systems are hard
 to secure for an hours' worth of reasons, and this is especially true
 for computers and the internet. The internet is the most complex
 machine man has ever built by a lot, and it's hard to secure.
 Attackers have the advantage.

2) 'There are new vulnerabilities in the interconnections'

 The more we connect things to each other, the more vulnerabilities in
 one thing affect other things. We're talking about vulnerabilities
 in digital video recorders and webcams that allowed hackers to take
 websites. • There was one story of a vulnerability in an Amazon
 account [that] allowed hackers to get to an Apple account, which
 allowed them to get to a Gmail account, which allowed them to get to
 a Twitter account. Target corporation, remember that attack? That was
 a vulnerability in their HVAC contractor that allowed the attackers
 to get into Target. And vulnerabilities like this are hard to fix. No
 one system might be at fault. There might be two secure systems that
 come together to create insecurity.

3) 'The internet empowers attackers'

 Attacks scale. The internet is a massive tool for making things
 more efficient. That's also true for attacking. The internet allows
 attacks to scale to a degree that's impossible otherwise. We're
 talking about millions of devices harnessed to attack Dyn, and that
 code, which somebody smart wrote, has been made public. Now anybody
 can use it. It's in a couple dozen botnets right now. Any of you can
 rent time on one dark web to attack somebody else. (I don't recommend
 it, but it can be done.)

 And this is more dangerous as our systems get more critical. The
 Dyn attack was benign. A couple of websites went down. The Internet
 of Things affects the world in a direct and physical manner: cars,
 appliances, thermostats, airplanes. There's real risk to life and
 property. There's real catastrophic risk.

4) 'The economics don't trickle down'

 Our computers are secure for a bunch of reasons. The engineers at
 Google, Apple, Microsoft spent a lot of time on this. But that
 doesn't happen for these cheaper devices. • These devices are a
 lower price margin, they're offshore, there's no teams. And a lot of
 them cannot be patched. Those DVRs are going to be vulnerable until
 someone throws them away. And that takes a while. We get security
 [for phones] because I get a new one every 18 months. Your DVR lasts
 for five years, your car for 10, your refrigerator for 25. I'm going
 to replace my thermostat approximately never. So the market really
 can't fix this.

Schneier then laid out his argument for why the government should be a
part of the solution, and the danger of prioritizing surveillance over

 It was OK when it was fun and games. But already there's stuff
 on this device that monitors my medical condition, controls my
 thermostat, talks to my car: I just crossed four regulatory agencies,
 and it's not even 11 o'clock. This is something that we're going
 to need to do something new about. And like many new agencies in
 the 20th century, many new agencies were created: trains, cars,
 airplanes, radio, nuclear power. My guess is that [the internet]
 is going to be one of them. And that's because this is different.
 This is all coming. Whether we like that the technology is coming,
 it's coming faster than we think. I think government involvement is
 coming, and I'd like to get ahead of it. I'd like to start thinking
 about what this would look like.

 We're now at the point where we need to start making more ethical
 and political decisions about how these things work. When it didn't
 matter • when it was Facebook, when it was Twitter, when it was
 email • it was OK to let programmers, to give them the special
 right to code the world as they saw fit. We were able to do that. But
 now that it's the world of dangerous things • and it's cars and
 planes and medical devices and everything else • maybe we can't do
 that anymore.

That's not necessarily what Schneier wants, but he recognizes its

"I don't like this," he concluded. "I like the world where the
internet can do whatever it wants, whenever it wants, at all times.
It's fun. This is a fun device. But I'm not sure we can do that

You can watch the full committee meeting above or here.

< >

#  distributed via <nettime>: no commercial use without permission
#  <nettime>  is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info:
#  archive: contact:
#  @nettime_bot tweets mail w/ sender unless #ANON is in Subject: