Security of all Things Internet


Security expert, Bruce Schneier, did this podcast which can be summed up in two words: interesting throughout. The term Internet of Things (IoT) refers to objects around us that “talk” via the Internet. While this opens up opportunities (your fridge tells Alexa that the milk is running out, who then tells you, and you then tell Alexa to order some milk), it opens up security risks all around.

The root cause for these security risks, explains Schneier, is as simple as it may sound horrifying today: the Internet was never designed with security in mind! Because it was designed for mostly inconsequential usage, and only by academics at that. In other words, it was a conscious choice to not care about security. And boy, have those chickens come home to roost today.

Ok, but why can’t security be incorporated today? Aha, there are many reasons:
1)      Complex systems are inherently hard to secure. Your smartphone is a highly complex device. And supply chain security is very hard, since it involves too many actors in the chain. See my earlier blog on that.
2)     We love things that are free. But software that addresses security vulnerabilities costs money.
3)     Even if you cared, there is no data available on which devices are more secure. In an age where people file reviews on everything else under the sun, what does that say about us?
4)     Software patches aren’t easy to roll onto existing devices. So most of the time, we get those patches only when we buy the next phone! Now think how long you keep the fridge and you get the number of fixes it never got. So we need a mechanism to roll out patches automatically. But everything runs on Android but Google doesn’t own the hardware, so good luck coordinating such things between Google and pretty much every manufacturer in the world.
5)     There is no financial penalty when data is breached. Think Marriott or Facebook. All they face is bad publicity, and public memory is short.
6)     Industries, like people, don’t learn from others. The PC industry learnt the importance of security in the 90’s. The IoT industry operates like that never happened. It may also be because most founders of IoT companies weren’t even born back then!
7)     And lastly, as software moves into already regulated industries like cars and medical devices, the regulations in those industries need to be updated. And you know who frames regulations, right? Yup, the government. So good luck updating anything owned and framed by the government.

Picture sound too gloomy? Schneier agrees, and fears things will change only when something catastrophic happens. Like somebody doing what the title of his book talks about: Click Here to Kill Everybody.

Comments

Post a Comment

Popular posts from this blog

Student of the Year

Image
As a toddler, my daughter loved Alia Bhatt’s songs, esp. the ones from Student of the Year . (That movie did have many good songs and well-choreographed dances). Fast forward to present day, when she is 12 yo. She rarely watches Hindi movies now, but one of the few ones she likes of late, Raja aur Rani ki Prem Kahani has, yes, Alia Bhatt.   If I had any hopes that there was anything to be read in the name of her toddler-time favorite ( Student of the Year ), they have been dashed. Our conversations come exam time are perfectly captured by this photo and its caption: In fact, the pic below captures how she and I look at her answer sheets – me intently, she with an expression of “It’s over, so why are you even looking at it?”   Of late, we pull her leg and tell her that she isn’t showing any signs of academic prowess, she’d better find a rich guy to marry. Some time later, she showed us this meme on the Internet: “Me No Study, Me No Care Me Go Marry Millionaire If He Die
Read more

Why we Deceive Ourselves

In their book, The Elephant in the Brain , the authors describe this weird aspect of deception that we practice: deceiving ourselves! That is so weird: “If our minds contain maps of our worlds, what good comes from having an inaccurate version of these maps?” The Sigmund Freud school of thought treats self-deception as a defense mechanism, “a way for the ego to protect itself”. The mind seeks to protect itself from anxiety and other negative emotions. Many object to this reasoning: since accurate information is so critical to our survival, surely distorting information would be dangerous. Wouldn’t the goal of protecting our self-esteem have been better achieved by making the brain’s self-esteem mechanism stronger instead? The new school of thought explains self-deception as “primarily outward-facing, manipulative, and ultimately self-serving”. This is based on Thomas Schelling’s work on game theory: “In a variety of scenarios, limiting or sabotaging yourself is the winn
Read more

Handling of the Satyam Scam

The Satyam scam. How does that fit into Montek Singh Ahluwalia’s book on reforms in India, Backstage ? The reason is that, as both NASSCOM and the government of India felt: “(Satyam’s) collapse would create a great deal of disruption for clients worldwide and seriously damage India’s reputation as a reliable source of software services.”   Therefore, the government decided to work with the private sector to “organize a quick takeover by a reputable new buyer, who would quickly restart the company”. But that could not be done overnight. In the meantime, the new board would have to reach out to Satyam’s clients and “reassure them that the company would survive”.   For the new board to have credibility when it made that statement, it had to be staffed with people who understood the private sector, the IT sector in particular, and commanded respect and trust. Deepak Parikh from HDFC was made chairman, and other members of the board included a former NASSCOM chairman, CII member,
Read more