There are some problems with the Internet of Things and security. For example, look up the Mirai botnet and the DDoS attack on DNS provider Dyn last month.
To understand the situation better, read Bruce Schneier's "Secrets and Lies", available as a PDF. The book was written in 2000 when things were simpler and easier to understand, but it still applies. The man has a sense of humor. Schneier makes the point that it is difficult to test software functionality but impossible to test for security. Buffer overruns were a problem back when Morris wrote the first worm. They are still a problem because software vendors can write legal license agreements that say the vendor is not responsible for any failures caused by the software. Basically, you bought it on an "as-is" basis. So the software ships, bugs are discovered, and sometimes the vendor fixes the bugs, especially if they are made public. Vendors don't spend money doing things they don't have to do. IoT devices are made as cheaply as possible. They are made user friendly by not burdening the user with security configuration, so user names and passwords have well-known defaults. The device has no anti-virus application. The simple routers offer little protection, as they have their own issues with default keys to their configuration. Marketing departments have gotten very good at stampeding buyers for things of little value. So good that companies that make the control systems for the nation's manufacturing plants and utilities have embraced the Industrial IoT. That should have been the Industrial Distributed IoT (IDIoT). Previously, control systems had no connection to the Internet, and so there was no need for Internet Security concerns. Now there are many security services, so the IDIoT has created jobs, as well as sales of routers. The air gap and the data diode have been discredited since Stuxnet, which was spread by strewing the parking lot with USB drives. Schneier emphasizes that the difficulty of providing security increases with the complexity of the system. As you may have noticed, each new revision of an operating system provides about a 4X increase of lines of code (in the case of Windows). Security is always in a catch-up race with the ability of criminals to find and exploit faults. Please pardon this intrusion into the world of precision time, but the issue was raised here. As a designer of industrial control systems, I've made it a point to study security, and found Schneier to be a fount of information. Perhaps a disclaimer is in order. I do not know Schneier and receive nothing from plugging his work. Bill Hawkins _______________________________________________ time-nuts mailing list -- time-nuts@febo.com To unsubscribe, go to https://www.febo.com/cgi-bin/mailman/listinfo/time-nuts and follow the instructions there.
