The light bulbs want to know about the seafood and the Web is slow...

[johnny1...@gmail.com]

On ongoing interest of mine, one I banged on about on General Chatter over as SJGames, was that the Internet is so badly, insecurely designed that it's essentially insecurable, and that the 'Internet of Things' has the potential to make it far, far worse.  An example of this:

http://dailycaller.com/2017/02/13/someone-used-hacked-vending-machines-to-hold-a-universitys-internet-hostage/

Assuming the story is accurate, a bad actor managed to use the campus' vending machines, and light systems and other IoT devices, all networked into the Internet because of Reasons, to interfere with the operation of the campus network.  In itself, this is a nuisance, but it exemplifies the possibilities.

If we're going to deal with cybertrouble, one thing we desperately need to get away from is the cultural attitude among IT designers and engineers that the Rule of Cool is a good reason to do something in real life.

[Johan Larson]

I think it has more to do with Control and Cheap than Cool. People often want to be able to monitor and control stuff centrally. OK, so the distributed devices and services somehow need to communicate with home base. But how. Well, there's already internet cable running everywhere, maybe even a wireless network...

I do agree with you that the internet is misdesigned for what we use it for today. The thing started as a cold-war-era network for maintaining communication among institutions, but today we use it for teenage chatter. If we had a chance to do it again, we'd do it differently. 

Personally, it think it will take a war or something close to one to change things. Advanced nations now have "Cyber-Defence" forces that can certainly be used offensively. In a serious quarrel, maybe just short of a shooting war, two such nations might try to bring down each others' networks, and a really surprising amount of stuff would stop working. That might even spread somehow, disrupting the system world-wide. That would be the wake-up call that brings real change.

[johnny1...@gmail.com]

It's both the desire for central control and the Rule of Cool, working in tandem.  The customers, the institutions like universities, companies, agencies, campus maintenance teams, etc. like the centralized monitoring and control the Internet of Things potentially offers, yes, and they really like the short-term cost efficiency of using the existing Internet as the data transfer infrastructure.  The long term risk doesn't usually get priced in, as you note.

But don't underestimate the degree to which the Rule of Cool is at work among the IT designers, programmers, and engineers who are creating the IoT.  It was this same thinking that drove a lot of the rise of the Internet in the 1990s and 2000s, both the useful aspects of it and the huge built-in bad issues derive in considerable degree from the culture that dominate IT work in that period.

'Open, not closed', was one common trope of that culture.  A lot of IT people had an idealistic aversion to the very idea of barriers and boundaries within the system, or any kind of coercive limitations on its operation. 

Another one was 'information wants to be free', which is semantic nonsense but embodies an ideology common among IT personnel in the rise of the Internet.  Jaron Lanier has documented how this ideology, perversely, led to the rise of centralized Internet monopolies like Google and Facebook, which function as surveillance organizations on their own users.

A lot of engineers live and breath the Rule of Cool, if their circumstances are such that they can get away with it.  The cliché of the creative engineer or programmer stifled by an accountant or bureaucrat contains a germ of truth, and it's also true that sometimes the accountant is right, and his presence is necessary to keep the creative engineer from making something hugely Cool but irrelevant to the customer or a liability to the organization.

A lot of the technical people working to create the IoT are motived less by profit (though of course they hope to make money) than by the sheer fun of it.  It's a Cool idea, from the technical POV.  Whether it's a good idea is a separate question entirely.

[johnny1...@gmail.com]

Following up on my comments, a writer here points out a few things that would help considerably in the IoT security problems.

http://dailycaller.com/2017/02/15/the-internet-of-things-is-a-cyber-disaster-in-the-making/

Note that most of what he suggests is not earth-shakingly difficult, just inconvenient at times.  Most of it is just common sense.

But ideologically, it is resisted by many IT people and cyber-types precisely because it is coercive.  That is, the writer recommends that the government mandate that people change passwords before an IoT device can access the Internet.  He points out (correctly) that most IoT devices can be limited in the number of data requests they send per unit time without affecting performance.  But it's still a limit.  It cuts against the libertarianish grain of the Silicon Valley/IT culture.

Of course, the writer also notes the even bigger security issue involved in globalized production of IT components and software, which is bigger than anything any individual can do much to correct.  This issue is an unexploded bomb.

[johnny1...@gmail.com]

 Another instance of what I mean when I say that the it's not just one device or bad program, it's the entire infrastructure of IT, including the business organizations and above all else the culture of IT that leads to the security and safety issues.

http://dailycaller.com/2017/04/03/google-android-apps-are-colluding-sharing-users-data-without-consent/

There just isn't very much the individual user can do to protect himself from this, it's a systemic problem, that's rooted in economics (security costs money) and a basic cultural/ideological attitude that permeates the IT world, and can be summed up oversimply as "open is better", or 'open not closed'.  That attitude contributed to the tremendous speed of advancement of IT in the last 25 years, but it also left an IT universe that is unstable, insecure, and lends itself well to misuse.

There are a handful of things you can do to help your odds.  If you don't really need or at least have some real use for that app, don't download it, even from a reputable store or supplier.  Avoid storing personal data you don't want shared on your smartphone, to the degree you can.  Etc.  Stuff like that.

But the system is badly broken.

[Johnny1A]

The Internet of Things strikes again:

http://freebeacon.com/national-security/chinese-made-video-cameras-pose-major-cyber-attack-risk/

The Internet, as implemented over the last 35-45 years, is simply inherently insecure.  Any security measures used to deal with this are add-ons trying to compensate for a weak base, like reinforcing a wall with steel rods, when wall and rods are both mounted on a cardboard floor.

The IoT makes things worse because like the basic Internet, security was an afterthought in its conception and implementation, even in the West.  Add in Chinese hardware and software, with a semi-hostile government behind it, and Western governments with an interest in undercutting security in hardware as well, and we're left with a potential security disaster.

I'm suspecting more with each passing day that at some point in the not-too-distant future, we'll suddenly see a fad or movement in organizational circles for at least a partial return to paper.

[Warren Ellis]

How right-leaning is the Free Beacon? Is it at Breitbart levels of crap?

[Johnny1A]

It leans right, like Breitbart, which is most definitely not crap, or at least no more so than the rest of the media on either side.

Not that that matters with regard to this story.

[Warren Ellis]

Breitbart has a bad habit of being even worse than most media outlets. And that's pretty impressive. Really in their case, I try to look at the original sources they use because they've sometimes changed stuff compared to the source they're using for their info.

As for this, well, looks like the company in question had been warned before but took such warnings lightly: http://www.cybersecurity-insiders.com/foscam-usa-issues-a-cyber-security-alert-to-all-its-users/

[Johnny1A]

Just the latest little thing:

https://www.engadget.com/2018/05/12/ring-doorbell-password-flaw/

Essentially, the story is about yet another security hole that lets a 'smart doorbell' be used as a spying tool.

Right now, the IT industry is so loose about security that the entire concept of a 'smart home' should be rejected out of hand.  In theory it's not automatically bad, a properly set up and implemented 'smarthome' could be a great thinig for the elderly and disabled, for example.

But right now, security and reliability and safety and privacy are simply not issues in the culture of the IT world, and the last is inherently undermined by the primary business model of most Internet companies.  The Internet as currently implemented is inherently insecure.  It was made to be insecure, in essence, by a culture of IT people who fetishized 'openness'.

So connecting the systems controlling your house to it is turning control of your house over to someone else.  Even concepts like 'smart meters' for electrical power should be looked at as suspect, because of the transfer of control.

The best way to defeat a panopticon is to not build it in the first place.  If you don't like the thought of outsiders being able to control your appliances, don't connect them to outside communications. 

[Warren Ellis]

Just a heads up, it looks like the Senate was able to get enough votes to keep net neutrality running: https://www.google.com/amp/s/amp.cnn.com/cnn/2018/05/16/politics/net-neutrality-vote-senate-democrats/index.html

[Johnny1A]

The Dems like net neutrality because it gives them an opening to silence their opposition, the GOP mostly opposes it, but some of them like to grandstand (the usual suspects).

It probably can't make it pass the House and Trump looks unlikely to sign it, but who knows?

[Warren Ellis]

Frankly I think we need more telecommunications competitors. Monopolies aren't free market.

And ours want to slow down or speed up bandwidth when they feel like it, which is irritating.

[Warren Ellis]

So frankly, I don't care if the Dems want to silence their opponents, I'm fully supporting them on this one issue.

[Johnny1A]

The problem is that 'net neutrality' doesn't eliminate the oligopoly, it ends up reinforcing it.

It's an old thing.  Back in the, General Motors loved government regulation because it squeezed Ford and Chrysler harder than it did GM.

I think we'd do better to regulate Silicon Valley to prevent one company from owning so many things in so many areas, and change the business model so that there was more fee-for-service and less 'free', since the latter is actually 'service in exchange for being spied upon'.

[Warren Ellis]

Silicon Valley should be regulated as well.

The companies there have become monopolies, and like the telecom companies, do little to invest in places outside of California or to help lay down more communications infrastructure to rural areas.

[Johnny1A]

The giveaway is that Google, Facebook, Twitter, etc. all publicly support net neutrality, they protested the decision to undo it, and have been lobbying Congress to restore it.  The idea that NN offers protection against them is undercut by their own support of it.

[Johnny1A]

A small example of the IT culture I often bang on about, but an illustrative one:

https://motherboard.vice.com/en_us/article/d3kvmy/google-photos-autosync

If you’re on desktop, or don’t have Google Photos on your phone at all, you can view images and videos that are shared with you in a web browser. If you have the app, however, a link to a friend’s photo just opens in the app, where you’re not allowed to view the image without giving Google access to your own photos. And the default setting in Google Photos is for it to “Backup and Sync” all photos on your device, meaning anytime you’re on Wi-Fi, it uploads all photos that are on your device to Google’s servers.

There are two reasons for this, one coldly pragmatic and one more 'idealistic', or maybe 'theological' would be a better word.

The pragmatic one is that Google's business model is quite simply to collect all possible information and sell it to advertisers.  Thus they always default to 'get the data', that's what they do.  Pretty much any data might potentially be monetized at some point.

The other, subtler, reason is true of Google but also permeates the entire IT industry, and that's an instinctive, almost visceral sense of 'open', a half-conscious desire to integrate all information just for its own sake.  There's a sense that the global information system ought to be omniscient.  Not that very many IT engineers would express it that way, or that directly, or even fully admit to it themselves, but it's there.