"Humanity has been building and programming general purpose computers for about six decades now, with spectacular results, mostly good. As we contemplate the ‘Internet of Things’ in light of our collective experience, there are some disturbing conclusions to be drawn. Can we as a species safely place our economy and culture into a global distributed network of computers, if those computers are programmed by humans using commodity programming languages and tools?"
That’s the question renowned Internet security expert Paul Vixie, co-founder and CEO of Farsight Security and an Internet Hall of Fame inductee, recently posed in his keynote address for the Security BSides gathering in Raleigh, N.C.
I talked to Vixie following the address, to get his thoughts—and his advice—on the state of Internet security.
That’s a pretty complex question you posed in Raleigh. Were you also able to provide an answer?
PV: No. That was rhetorical. What I explained is that there is economic pressure to create more software companies or products that include software…and what we have seen is that the talent pool we have is already inadequate for the task. The reason is margin and time-to-market pressure. Everything that succeeds gets competition much faster than ever before in history. The first product in a category can dine well; latecomers sometimes get the table scraps.
And not all companies know how to be software companies. If you come up with an Internet-enabled light bulb, you have to know how to test your product. You have to know how to report it if this lightbulb turns out to have critical software bugs. You have to know who your customers are so you can notify them.
So ultimately, what I showed, is that by all indications, the Internet of Things is going to take everything that looks flaky and behaves badly about Internet-enabled devices today, and multiply it by about a million times.
How can these risks be mitigated?
PV: I’m short on solutions. The thing I saw recently is that Underwriters Laboratories is going to begin doing cybersecurity certifications. It used to be that if you were going to buy a toaster for your kitchen, you would make sure it was on the UL list, to make sure it wasn’t going to start a fire in your house. So, we need to get there with Internet-enabled devices. I am glad UL is going to do that. And I am glad that the Obama White House hired Peiter Zatko, a hacker and Internet security expert also known as “Mudge,” to investigate starting a cyber security program. Regulation isn’t always the right answer, but I think that in this case, the only way we’re going to get wide-spread improvement of software quality is if being a little later to market or costing a little more doesn’t make your product uncompetitive – because your competitors have to meet the same quality standards as you do.
What other steps need to be taken?
PV: If Moore’s Law gives us more transistors, and those transistors are switching faster, year by year, we are getting more computing horsepower. What we have been doing with that computing horsepower is using it to develop glitzier products with more features. But it turns out you could also use some of that new computing horsepower for safety. We’ve been writing everything in C since the early 1980s. It’s time to stop, to think if there are alternatives we might use, that would do additional run-time safety checks. But we are not using any of that new largesse in computing horsepower to make anything safer. The reason, frankly, is there is no market pressure to do so.
That’s the transition that we have to go through or else the ‘Internet of Things’ is going to be the thing that stops the world, even sooner than climate change.
Email hacks have made headlines recently, and there have been several high-profile breaches involving email and credit card databases of large companies. But we just recently saw the first widespread reporting in quite a while about a distributed denial-of-service (DDoS) attack. Does that mean the number of DDoS attacks has declined?
PV: They are not in the news as much anymore because we have them every week. What we have is a new normal, and it’s damn depressing. The problem is that nobody cares.
It’s very hard to think accurately about the actual amount of unsafety that is in the world right now. It is stunning.
Let’s talk about my special pet peeve. The thing that makes DDoS possible is the lack of source address validation at the edge of the Internet. That means [someone else’s] computer can send my computer a request pretending to be your computer, and my computer will answer yours. The source never used to matter because the Internet was born in an academic world where everybody knew and trusted everybody else. We took the same technology and gave it to 3 billion people, and they are not all trustworthy and sometimes they hate each other and they abuse this. And Internet service providers have no incentive to spend money to fix this.
What can companies and consumers do to help thwart these different types of hacks and attacks?
PV: I think that eventually people are going to realize that everything that is digital can be surveilled while it is in motion or it can be stolen, copied or damaged while it is at rest. We will probably start with these two things, both rightly headed, but they are probably going to end badly.
There is encryption. You might invest in it. But your correspondents might not. So, you are keeping your files safe, but your text is running naked through the world.
Also, I don’t think we should have access to all of our old email on a daily basis. We should have the equivalent of having to walk to another room by typing in a password, solving a puzzle. Because that email repository is so much more dangerous that when your files were locked in a filing cabinet. I think people probably won’t stop sending email, but they can use encryption, or digital shredding, or store that e-mail in some kind of one-way repository, where we won’t have a bunch of folders sticking out of our Outlook panel. But as you know, crowds move slowly. It’s going to take another 20 years. In the meantime, it’s just open season on all of us.
What immediate steps can the average computer and smartphone user take to protect themselves and others?
PV: Never turn down a software update from your vendor. It’s something the rest of us really need you to do. Accept that update to Windows 10, even it if it looks like it is going to spy on you more. Because if you run an older version of Windows, your computer is a clear and present danger to the rest of us—and we hate that. You need to give vendors a chance to fix their products. All software has bugs, the problem is you don’t know what they are at ship-time. That’s why everyone needs to keep their stuff up to date all the time.
If you are buying a new gadget, say a thermostat that is connected to a smart phone, give some thought as to whether that company is going to be in business 10 years from now. It may not be getting software updates anymore. You really want to think about the long-term impacts instead of just buying the cheapest thing at the hardware store. It used to be that the worst thing was that the cheap hammer you bought would just break. With the massive adoption of IoT-enabled devices, you now are inviting potential security risk into your home, next to your family photos and your bank records.
If there is a camera on your laptop, do you really need it to be open all the time? Or should you put a post-it note over it?
Upgrade everything. Throw it away if the company goes out of business.
And be suspicious as heck of anything that wants to connect to your network.
For more information about the security challenges of the Internet of Things (IoT), please see our Internet Society white paper: The Internet of Things: An Overview - Understanding the Issues and Challenges of a More Connected World
Image credit: Farsight Security.