Schneier on Security
A blog covering security and security technology.
« Open Source Digital Forensics |
| Fake Amazon Receipt Generators »
December 16, 2010
Security in 2020
There’s really no such thing as security in the abstract. Security can only be defined in relation to something else. You’re secure from something or against something. In the next 10 years, the traditional definition of IT security—that it protects you from hackers, criminals, and other bad guys—will undergo a radical shift. Instead of protecting you from the bad guys, it will increasingly protect businesses and their business models from you.
Ten years ago, the big conceptual change in IT security was deperimeterization. A wordlike grouping of 18 letters with both a prefix and a suffix, it has to be the ugliest word our industry invented. The concept, though—the dissolution of the strict boundaries between the internal and external network—was both real and important.
There’s more deperimeterization today than there ever was. Customer and partner access, guest access, outsourced e-mail, VPNs; to the extent there is an organizational network boundary, it’s so full of holes that it’s sometimes easier to pretend it isn’t there. The most important change, though, is conceptual. We used to think of a network as a fortress, with the good guys on the inside and the bad guys on the outside, and walls and gates and guards to ensure that only the good guys got inside. Modern networks are more like cities, dynamic and complex entities with many different boundaries within them. The access, authorization, and trust relationships are even more complicated.
Today, two other conceptual changes matter. The first is consumerization. Another ponderous invented word, it’s the idea that consumers get the cool new gadgets first, and demand to do their work on them. Employees already have their laptops configured just the way they like them, and they don't want another one just for getting through the corporate VPN. They’re already reading their mail on their BlackBerrys or iPads. They already have a home computer, and it’s cooler than the standard issue IT department machine. Network administrators are increasingly losing control over clients.
This trend will only increase. Consumer devices will become trendier, cheaper, and more integrated; and younger people are already used to using their own stuff on their school networks. It’s a recapitulation of the PC revolution. The centralized computer center concept was shaken by people buying PCs to run VisiCalc; now it’s iPads and Android smart phones.
The second conceptual change comes from cloud computing: our increasing tendency to store our data elsewhere. Call it decentralization: our email, photos, books, music, and documents are stored somewhere, and accessible to us through our consumer devices. The younger you are, the more you expect to get your digital stuff on the closest screen available. This is an important trend, because it signals the end of the hardware and operating system battles we've all lived with. Windows vs. Mac doesn't matter when all you need is a web browser. Computers become temporary; user backup becomes irrelevant. It’s all out there somewhere—and users are increasingly losing control over their data.
During the next 10 years, three new conceptual changes will emerge, two of which we can already see the beginnings of. The first I'll call deconcentration. The general-purpose computer is dying and being replaced by special-purpose devices. Some of them, like the iPhone, seem general purpose but are strictly controlled by their providers. Others, like Internet-enabled game machines or digital cameras, are truly special purpose. In 10 years, most computers will be small, specialized, and ubiquitous.
Even on what are ostensibly general-purpose devices, we’re seeing more special-purpose applications. Sure, you could use the iPhone’s web browser to access the New York Times website, but it’s much easier to use the NYT’s special iPhone app. As computers become smaller and cheaper, this trend will only continue. It'll be easier to use special-purpose hardware and software. And companies, wanting more control over their users’ experience, will push this trend.
The second is decustomerization—now I get to invent the really ugly words—the idea that we get more of our IT functionality without any business relationship. We’re all part of this trend: every search engine gives away its services in exchange for the ability to advertise. It’s not just Google and Bing; most webmail and social networking sites offer free basic service in exchange for advertising, possibly with premium services for money. Most websites, even useful ones that take the place of client software, are free; they are either run altruistically or to facilitate advertising.
Soon it will be hardware. In 1999, Internet startup FreePC tried to make money by giving away computers in exchange for the ability to monitor users’ surfing and purchasing habits. The company failed, but computers have only gotten cheaper since then. It won't be long before giving away netbooks in exchange for advertising will be a viable business. Or giving away digital cameras. Already there are companies that give away long-distance minutes in exchange for advertising. Free cell phones aren't far off. Of course, not all IT hardware will be free. Some of the new cool hardware will cost too much to be free, and there will always be a need for concentrated computing power close to the user—game systems are an obvious example—but those will be the exception. Where the hardware costs too much to just give away, however, we'll see free or highly subsidized hardware in exchange for locked-in service; that’s already the way cell phones are sold.
This is important because it destroys what’s left of the normal business relationship between IT companies and their users. We’re not Google’s customers; we’re Google’s product that they sell to their customers. It’s a three-way relationship: us, the IT service provider, and the advertiser or data buyer. And as these noncustomer IT relationships proliferate, we'll see more IT companies treating us as products. If I buy a Dell computer, then I'm obviously a Dell customer; but if I get a Dell computer for free in exchange for access to my life, it’s much less obvious whom I’m entering a business relationship with. Facebook’s continual ratcheting down of user privacy in order to satisfy its actual customers—the advertisers—and enhance its revenue is just a hint of what’s to come.
The third conceptual change I've termed depersonization: computing that removes the user, either partially or entirely. Expect to see more software agents: programs that do things on your behalf, such as prioritize your email based on your observed preferences or send you personalized sales announcements based on your past behavior. The “people who liked this also liked” feature on many retail websites is just the beginning. A website that alerts you if a plane ticket to your favorite destination drops below a certain price is simplistic but useful, and some sites already offer this functionality. Ten years won't be enough time to solve the serious artificial intelligence problems required to fully realize intelligent agents, but the agents of that time will be both sophisticated and commonplace, and they'll need less direct input from you.
Similarly, connecting objects to the Internet will soon be cheap enough to be viable. There’s already considerable research into Internet-enabled medical devices, smart power grids that communicate with smart phones, and networked automobiles. Nike sneakers can already communicate with your iPhone. Your phone already tells the network where you are. Internet-enabled appliances are already in limited use, but soon they will be the norm. Businesses will acquire smart HVAC units, smart elevators, and smart inventory systems. And, as short-range communications—like RFID and Bluetooth—become cheaper, everything becomes smart.
The “Internet of things” won't need you to communicate. The smart appliances in your smart home will talk directly to the power company. Your smart car will talk to road sensors and, eventually, other cars. Your clothes will talk to your dry cleaner. Your phone will talk to vending machines; they already do in some countries. The ramifications of this are hard to imagine; it’s likely to be weirder and less orderly than the contemporary press describes it. But certainly smart objects will be talking about you, and you probably won't have much control over what they’re saying.
One old trend: deperimeterization. Two current trends: consumerization and decentralization. Three future trends: deconcentration, decustomerization, and depersonization. That’s IT in 2020—it’s not under your control, it’s doing things without your knowledge and consent, and it’s not necessarily acting in your best interests. And this is how things will be when they’re working as they’re intended to work; I haven't even started talking about the bad guys yet.
That’s because IT security in 2020 will be less about protecting you from traditional bad guys, and more about protecting corporate business models from you. Deperimeterization assumes everyone is untrusted until proven otherwise. Consumerization requires networks to assume all user devices are untrustworthy until proven otherwise. Decentralization and deconcentration won’t work if you’re able to hack the devices to run unauthorized software or access unauthorized data. Deconsumerization won’t be viable unless you’re unable to bypass the ads, or whatever the vendor uses to monetize you. And depersonization requires the autonomous devices to be, well, autonomous.
In 2020—10 years from now—Moore’s Law predicts that computers will be 100 times more powerful. That'll change things in ways we can't know, but we do know that human nature never changes. Cory Doctorow rightly pointed out that all complex ecosystems have parasites. Society’s traditional parasites are criminals, but a broader definition makes more sense here. As we users lose control of those systems and IT providers gain control for their own purposes, the definition of “parasite” will shift. Whether they’re criminals trying to drain your bank account, movie watchers trying to bypass whatever copy protection studios are using to protect their profits, or Facebook users trying to use the service without giving up their privacy or being forced to watch ads, parasites will continue to try to take advantage of IT systems. They'll exist, just as they always have existed, and like today security is going to have a hard time keeping up with them.
Welcome to the future. Companies will use technical security measures, backed up by legal security measures, to protect their business models. And unless you’re a model user, the parasite will be you.
This essay was originally written as a foreword to Security 2020, by Doug Howard and Kevin Prince.
Posted on December 16, 2010 at 6:27 AM
• 81 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
What you call decentralization is in fact the opposite: A way of centralization of data. Instead on individual desktops or on machines in someones pockets, data is hosted in commercial data centers. The "cloud" is anything but.
@Marc: In this vision of the future, there will be "data hubs" like GMail, but any individual user will access many of them. There's no single, per-person or per-company data hub, like the PC or the mainframe.
"It won't be long before giving away netbooks in exchange for advertising will be a viable business."
We're already at the point where you get free playstations for phone plans, etc. I can't see this being very far off at all.
@Marc B: I agree with you, though I understand why one might not. In using "the cloud" to store data, it's decentralized in that many machines store many different subsets of "your" data. A traditional desktop machine that stores all of "your" data, and is thus ultimately centralized.
"That’s IT in 2020— it’s not under your control, it’s doing things without your knowledge and consent, and it’s not necessarily acting in your best interests."
How is that different from today? My corporate laptop, while giving the impression that it's under my control, is really under the complete control of the IT department. IT certainly does things to it with neither my consent nor knowledge, and while most of it is benign maintenance I doubt it is all in my best interests. The corporate proxy server certainly blocks significant amounts of internet content that are directly pertinent to my day-to-day work. I'm sure a significant portion, if not everything, that I do is recorded and somewhere there is a long list of violations of IT policies that, even if they were made as necessary steps in doing my job, could be used summarily fire me.
The difference could be that today there's "one central corporate IT," rather than a myriad of different providers, but even that isn't true. Corporate IT is a complex web of outsourcing relationships. Yes, we're trending toward that web becoming more complex and less personal, but it is certainly already there.
I love it! And it is true the fact that:
"All of the biggest technological inventions created by man - the airplane, the automobile, the computer - says little about his intelligence, but speaks volumes about his LAZINESS"
"...Another ponderous invented word,..."
All words are invented.
15 years ago what was our security "statefull firewals and SSL"
And today our security is "statefull firewalls and SSL"...
And in 15 years when every device is it's own IPV6 island in hostile seas?...
Probably not statefull firewalls. Why because the price of hardware realisticaly these days is the marketing to sell it...
So just about every CPU cycle will be reserved for "user experiance" as defined by marketing oh and the data consumers (not you as Bruce notes).
So our security in device will be virtualy NIX just a "VPN connection" off to your service provider of very limited choice, who will have absolutly unrestricted access to every keypress as you make it.
As this will be by default your only access point to the modern world, you will be 100% owned by some corporate who you have no control over justg an empty Faustian Contract.
And Dante thought hell was fire and brimstone, boy did he ever lack imagination...
But it gets worse those "smart meters" will control every appliance in your house with only a nod in your direction as to who realy controls it.
And the security protocols well they will be designed for minimum CPU cycle, minimum memory and hardware footprint. Secure they will not be as experiance tells us.
I can see an increase in "off grid" living as you will have no choice, the expression "if you arn't consuming you ain't living" will have real meaning for many in our new political distopia maximised for the "efficiency" of the race to the bottom to maximize very short term profit with highly disposable product (and as Bruce notes you are that product)...
A well articulated list of commercially driven trends.
Does anybody consider State sponsored trends (e.g. surveillance/compliance/legal) will be a force on a par with these commercial ones, and significantly shape 2020 too?
I doubt we'll see widespread giveaways of computers or phones in exchange for advertising. Web services like Google and Facebook are cheap at the margin; that is, after the sunk cost of infrastructure it costs next to nothing to provide the service to each additional user. This means they don't need to make very much ad revenue per user. With hardware, the marginal cost is most of the cost. A company would need to serve a lot of ads to pay for each $500 netbook/tablet/etc. that it gives away. And is someone who won't spend $500 on a computer really that lucrative of a target for advertising to be delivered via said computer? Even if he isn't broke -- what if he just wouldn't use it that often?
If that model would work, why haven't we seen it applied to TV sets?
Just opinion here, but I expect the line between "state" and "corporate" to continue to blur so that by 2020 or so, the difference will be hard to spot.
Some argue it's that way now, as in, the nation state can't make security decisions without corporate input/permission/aide.
Great article. The one thing I don't agree with is the idea that gaming will always need close-to-home computing power. I think in the near future (still 10-20 years out probably) "game consoles" will probably be mostly in the cloud as well. Look at the "OnLive" consoles (I believe that's what they're called) they haven't had the GREATEST success yet, but they are on their way I think. Once the networks expand and broadband home networks are more widespread with better bandwidth, I think it could be very successful.
@Zach: That's already started with on-live. Heck even some internet gaming already exists.
@Zach: Argh.. should have read all your post :)
The last sentence is already here. Automated call centers are in place not because they are more efficient, but to place a significant barrier between the customer and the company. Once that is in place there is a strong motivation to just pay the extra 20 on the bill because it may take you hours on the phone to correct the companies error.
Clearly, the customer is a parasite when asking for accurate billing (they are not a 'model customer' at that point). I view the call center software as a security effort because from the point of view of the company, it protects an economic asset (the profit of errors).
Technology will give us the ability to control everything except technology.
Also refreshing to see Bruce making commentary in the field he's actually good at; IT security - there's been a little too much "security theatre" focus.
A very thoughtful and interesting essay! I wonder how legislation between now and then will impact current trends though.
Unrestrained, I could definitely see that come true (in a good way, or in a bad way too), but it seems like there is a big movement in congress to try to change some of that.
That's true in the corporate world, yes, but that's the point. The corporate world appears to be very different than home computer use today, but more and more the home computing environment will, in fact, come to resemble the corporate world in key details.
In the corporate world, the laptop belongs to the company and you work for the company. You are not the customer, and the equipment is not yours.
However, in the private sector, we expect our computers and other devices to be ours, and we believe we are the customers of those whose services we use. However, this isn't necessarily true, and it is less true as we go forward. We need to be aware of this if we wish to have any real idea of what IT in 2020 looks like.
Of course, by then, we'll be able to see what is happening. Instead of foresight or hindsight, we'll have 2020 vision. ;)
I, for one, welcome our free advertisement-laden hardware
This essay sounds like it could have been the forward to the 1st chapter of Charlie Stross' Accelerando novel.
No offense, but I think Bill Joy wrote this in 2000.
@Jim Rodovich: One reason we haven't seen free TV sets is that there's no good way to tie them to specific advertising.
People, in general, want TV sets. They will go out and buy them themselves. They want to watch everything on their TV sets, and so you can't sell them sets that only get your ads. It might be possible to run your own ads in addition, but that would require the ability to feed them to the TV.
This doesn't mean that people wouldn't accept free TVs in exchange for advertising. They do, after all, accept an appalling amount of advertising in exchange for TV programs.
It would be possible to make a cheap laptop that would tie into a particular ad source on the Internet. The OS would need to be locked down, probably at the hardware level, but in truth a few free-riding hackers wouldn't hurt the program that much. There's no technical reason why this wouldn't work, or would be difficult, it's just financial.
Since somebody tried this model in the 1990s, it must have some appeal to somebody, and as hardware prices come down I'd expect to see this tried again.
"@Jim Rodovich: One reason we haven't seen free TV sets is that there's no good way to tie them to specific advertising."
Yea and then with laptops it is not just that you can advertize. You can also track the users behaviour to ad nauseam (not just what ads they click on but what they search and what search results they click on, etc), sell the resultant data and make better ads from it. You can not do this with TVs.
In 2020, parasites are us.
If one sets aside for a moment the "sinister forces in the govt and faceless multi-national corporations are at work to de-humanize/de-personalize/de-libertize us to the point that we are merely nodes in the matrix!!" hyperbole, there is some good stuff in that article.
deperimeterization: is all about access and productivity, getting what you want when ever you want it. The trend move forward more slowly than characterized here as attempts to provide that access collide with security problems. For example, storage devices such as thumb drives were just recently outlawed on SIPRNet.
consumerization: trend to continue, but again, slower than characterized. Many corporations now shutting down smart phone email access due to lack of security.
decentralization: It will flatten out in my view, there is only so much advertising money out there to fund these "free" services such as hotmail and facebook
cloud computing: personally, I doubt it, I think we are probably pretty close to stasis as far as computing moving to the cloud. Pipes arent that big, security concerns, people like to have (some) stuff local... remember Larry Ellison and the thin client? Mainframes? This idea has been around a long time..
deconcentration: "The general-purpose computer is dying and being replaced by special-purpose devices", personally I doubt it.. Special HW for web browsing and email sure, and that's 75% of internet traffic, but you'll always have games, MS Office, development tools, etc...
giving away HW for advertising: no way, perhaps some very small devices, but there isnt that much advertising money out there. Companies have always made their money on HW, that wont change.
"Internet of things": sure, you can put my toaster on the internet, but I'm not going to pay the extra $5 for that capability. I'm not going to pay the extra $100 to have my thermostat available via browser, it isnt that important to me.. Smart devices/homes have been around a long time, we'll get some niche stuff, but overall? not going to happen...
"...Your phone will talk to vending machines; they already do in some countries. The ramifications of this are hard to imagine; it’s likely to be weirder and less orderly than the contemporary press describes it. But certainly smart objects will be talking about you, and you probably won't have much control over what they’re saying."
For a sneak preview of how this may play out in reality, see the 2002 movie "Minority Report"
I see a parallel with the financial industry. It used to be the financial markets were a means to an end. Markets allowed capital to be raised for investment into activities that added value to raw materials. It could be mining, farming, manufacturing or what have you.
Then folks noticed that you could make a lot of money in markets without getting your hands dirty. It drew so many bright, ambitious achievers that the old model no longer provided enough juice to keep it all going. So instead of being a means to an end, the wizards involved turned finance into an end in itself, cooking up all manner of derivative investments that allowed them to make ridiculous amounts of money while adding nothing of value to the economy. The economic meltdown was simply the partial collapse of this giant house of cards.
In the same way, IT and computing was originally a tool, a means to an end. In the bubble of the '90s it became an end in itself. The bubble burst because people stepped back from the hysteria and realized that the hype was built on nothing, that there was no sound business model driving these "successful" startups.
Now we all think we're smarter, but we're going down the same road again. The new social media paradigm of consumer as product looks real sexy to investors and advertisers, but the industry is poised to get drunk on its own sense of self-importance and implode spectacularly.
I absolutely agree with you. From the users point of view, the Cloud "centralizes" all their data in one location.
But, as pointed out, from the Cloud-owner's point of view, the data may be de-centralized as they may have your different directories residing on different machines, in different states, or even on different continents.
And how many of us sanely-paranoid computerists are going to trust somebody else with our data?
We are the types that will be glad to hang onto our old hardware, and old operating systems, with our collection of multiple hard drives, and keep our data close.
We will not give up small amounts of privacy for small amounts of convenience. We will be willing to pay for Internet access if it means we won't be profiled and target marketed based on our web-browsing habits.
> I expect the line between "state" and "corporate" to continue to blur
> so that by 2020 or so, the difference will be hard to spot.
"The Future Will Be A Totalitarian Government Dystopia"
"The Future Will Be A Privatized Corporate Dystopia"
The Onion. May 17, 2000
"I'm not going to pay the extra $100 to have my thermostat available via browser, it isnt that important to me.. Smart devices/homes have been around a long time..."
It may not be important to you, but you are little behind the curve on this you will find that the legislative process has already started to force you to have "smart meters" and "smart environment control" (heaters and air cons) within the next few years as a thinly disguised "green measure".
Although carbon footprint reduction is a good idea the methods proposed (smart meters etc) are idiotic and a real security nightmare.
If you think about the design life of a hot water heater it's something like (or used to be) 25 years.
DES only had a real public network life time of 10 years. The ink was hardly dry on the NIST stamp of approval before the first of the practical timing attacks across the network was published about it and it's been downhill for AES ever since.
Based on this I realisticaly expect it to be less than a year after the latest NIST hash competition is over before a practical side channel attack against it over the network is published.
Unless we take sensible measures like NIST mandating plug and play frameworks (for the primatives) then we will get a race for the bottom response out of the companies supplying these "smart home" devices and you can bet that all of them will be broken befor they are even half way through their design life (unless they design them for less than ten years).
So no matter how little you want a web interface on your AirCon you can bet that with legislation it will be put on there for the Utility techs, oh and you might be able to buy a subscription to it for 50USD a year just so you can set it up the way you want.
I don't know what the "smart meter" utility crowd are like in the US but in the UK the utility marketing people are having wet dreams about what they can get in the legislation, and you can be sure that the security of these devices is not even getting lipservice at this point in time.
I would very much like to be wrong, I would very much like to see a sensible updatable security framework to be mandated from day one but past history is telling me not to hold my breath on it.
> you will be 100% owned by some corporate who you have no control over
> justg an empty Faustian Contract.
That "contract" will be an adhesion contract that (1) waives all your rights, (2) gives immunity to the other party, and (3) can be unilaterally amended by the other party
Minnesota Law Review, Vol. 91, 2006
"Today, by contrast, it seems widely (though not universally) accepted that if you write a document and call it a contract, courts will enforce it as a contract even if no one agrees to it."
This will lead to what Professor Evan McKenzie calls
"'repressive libertarianism,' where certain people who call themselves libertarians invariably side with property owners who want to limit other people's liberties through the use of contract law. Property rights (usually held by somebody with a whole lot of economic clout) trump every other liberty."
A blog entry that long should really come in MP3 format.
I sense an opportunity for an Ugly Invented Security Words contest.
@clive: no worries mate, you're wrong :-)
Any regulations regarding appliance efficiency will be implemented (if indeed they do come) on the manufacturer not the end user. Same way that regulations exist on car emissions today.
If there are any regulations coming on resource use (the amount of electricity you use for example), it will come in the form of taxes/surcharges, not "smart meters" monitored by the govt.
I fully expect that by 2020 OnStar (or equivalent) wont simply be a voluntary service that the FBI can commandeer occasionally on whim, but rather a system where your engine will not start until it has contacted the satellite and gotten approval of your itinerary and what temperature you plan to maintain in the cabin.
Excellent observation. I agree, it's hard to imagine that Facebook is/could be successful in a real market scenario, ie, where its success is based on stock performance and not perceived, "someday later" potential.
Furthermore, people only have a determined amount of disposable income to spend. "Intelligent advertising" gleaned from Facebook habits won't triple their spending. Not to mention that people already know what they want, anyway.
If Zuckerberg wants to go balls out and prove his person of the year status, he can announce a Facebook IPO and see how valuable the product is in an open market that expects results.
@Carl: I think you're seriously underestimating the move to appliances.
I already spend the majority of my game-playing time with my iPhone and DS, and the rest is mostly MMORPGs. Lots of people use their Wiis, XBoxes, and Playstations for games. I keep hearing about trends away from games on computers because of piracy concerns.
You can run Microsoft Word on an appliance. The reason it isn't on the iPad is that Microsoft hasn't put it there. It does have word processing software.
Software development is not a large part of the computer field. There's plenty enough of us to make a lucrative niche market, so the general-purpose computer isn't going to go away, but it's really more than most people want.
This item found on SlashDot:
Race On To Fingerprint Phones, PCs on Wednesday December 01, @12:00PM
Posted by CmdrTaco on Wednesday December 01, @12:00PM
from the i-see-what-you-did-there dept.
theodp writes "Advertisers no longer want to just buy ads, reports the WSJ. They want to buy access to specific people. In response, the race is on develop digital fingerprint technology to identify how we use our computers, mobile devices and TV set-top boxes. Start-up BlueCava, an anti-piracy company spinoff, is building a 'credit bureau for devices' in which every computer or cellphone will have a 'reputation' based on its user's online behavior, shopping habits and demographics. By the end of next year, BlueCava says it expects to have cataloged one billion of the world's estimated 10 billion devices, and plans to sell this information to advertisers willing to pay top dollar for granular data about people's interests and activities. It's 'the next generation of online advertising,' said Blue Cava's David Norris. As controversy grows over intrusive online tracking, regulators are looking to rein it in the FTC is expected to release a privacy report Wednesday calling for a 'do-not-track' tool for Web browsers."
First, there was the credit rating. Then came the proprietory insurance ratings (for house & car owners). Next, there are the insurance ratings for the houses and cars themselves. It eventually grew to health ratings, hospital & doctor ratings, and then your 'ability to pay' health rating. With cell phones, we have your location (not a rating but used much the same way), your profile of activity, and then internet tracking to rate you for whatever. Finally, we are rating your internet (& other devices) to add to your profile. On the border are ratings for your household devices (furnace, air, water, electricity, & gas). They can also rate your sewage flow to see what you are flushing out, who in the house is sick or pregnant, and to determine what you are cleaning and how clean you are. Rolling mobile scanners will rate other activity both on the street and in our houses. And of course, all of our financial information is already in the wild, rating us right into the grave.
Let's have Blue Cava publish these same device ratings of all their executives and employees so we can see how well it works. Oh, no! That's private. I've upped my privacy standards, now David Norris, up yours.
Doesn't Facebook already have all that information?
Yes, I see where it is all going. We need greater ability to go off-grid.
"I fully expect that by 2020 OnStar (or equivalent) wont simply be a voluntary service that the FBI can commandeer occasionally on whim, but rather a system where your engine will not start until it has contacted the satellite and gotten approval of your itinerary and what temperature you plan to maintain in the cabin."
You fully expect that in 10 years, all drivers in the United States will be required to file a drive plan for approval before going anywhere in a car? That's just silly. Even if the federal government wanted to build such a system, a contention which is laughable, and it passed legal muster, which is mildly less laughable, there's no way it could be built in that time frame.
Humane Nature never changes...
But maybe the behaviour - adaption is the only way to survive
It is obvious from your comments you did not read mine as you are claiming I've said things I have not.
This appears to be a bad habit you have got.
Go back and read what I said again...
@Johnston '"Intelligent advertising" gleaned from Facebook habits won't triple their spending.'
Of course it won't, but the idea is to move as much of the spending as possible towards the advertisers.
Think of shampoo ... many people buy it on a regular basis to keep their hair and scalp clean, advertisers spend a lot of time and money trying to convince their target demographic that their brand will do more than just clean the hair.
Identify a person's demographic and degree of folicular challenge and you can target them with appropriate ads for your hair care products.
Actually it has always been this way: if you are not a part of the system - you are a parasit.
"Think of shampoo ... many people buy it on a regular basis to keep their hair and scalp clean, advertisers spend a lot of time and money trying to convince their target demographic that their brand will do more than just clean the hair."
Not me. I shave my skull. But I only use official HeadBlade (tm) (c) products when I do so.
Don't forget the good things that come from advertisements. Jobs. People are paid to think up the ads, produce them and so forth.
The late Harry Browne anticipated the future correctly almost forty years ago (not the tech details, perhaps), and offered antidotes, in his 1973 book, "How I Found Freedom In An Unfree World". Interesting reading.
I intend to remain a "parasite" as long as possible; to buy nothing new, insofar as possible; and to go down with the ship.
It's a shame George Orwell isn't around to see his dire predictions realized, but I want no part of them.
"It is obvious from your comments you did not read mine as you are claiming I've said things I have not"
are you referring to this post?
@clive: no worries mate, you're wrong :-)
Any regulations regarding appliance efficiency will be implemented (if indeed they do come) on the manufacturer not the end user. Same way that regulations exist on car emissions today.
If there are any regulations coming on resource use (the amount of electricity you use for example), it will come in the form of taxes/surcharges, not "smart meters" monitored by the govt.
If so (and that is the post you are objecting to..) I am not sure what the issue is, you claim consumers will be mandidated to purchase a smart interface that will be used to enforce emmisions rules:
"So no matter how little you want a web interface on your AirCon you can bet that with legislation it will be put on there for the Utility techs,"
my response was, no.. that isnt how it's going to happen. If the govt wants to impose restrictions, they would do so on the mfg, not the consumer. The same way car emission standards are enforced today.
I read and understood what you said, I disagree with it, I stated what in my opinion is going to happen.. simple..
Agent: It's worse than you know.
Mal: It usually is.
@David Thornley: I wasn't disputing that people would accept free TV sets or free computers. I'm disputing that they could be profitably given away by being subsidized only by ad revenue. The problem is that the cost of these devices is high enough that it would take several weeks or months for ad revenue to cover it all. What happens if the user loses interest in the device and it starts collecting dust? What happens if she soon upgrades to a newer model made by one of your competitors? (If it's free, why not?)
@Brandioch Conner: But those jobs are paid for by us suckers who watch the ads and buy the things they push. If only machines and algorithms could do the creative work, then the things we buy would cost less *and* we could free up all those people to become dentists or cryptographers or something.
Excellent article in the best tradition of Alvin Toffler and the likes.
Technology has always been used by the rich and powerful to observe, shape and control the masses. This is nothing new. We already live in a world where big corporations have a firm grip on governments and boundaries become increasingly blurred. In the past, governments and institutionalised religion bonded together to exercise power over the people. Today, and probably tomorrow even more, it's corporations that have taken over the role of religious authorities. Just look at Wikileaks and the role of Visa, Mastercard, Amazon and others therein.
There is no denying that the trends described in the article are real, and inevitably will impact all of us. To which extent will pretty much depend on ourselves. Even those among us born in the internet age or those 10 years from now in due time will learn hard lessons that will make them question the technology they've come to depend on:
1) Unless you're Brad Pitt or Robbie Williams, there really is no such thing as a free ride. Whether it be your Facebook account, GMail, MySpace, Chrome browser, the smart phone you've gotten from your provider, they all come with a catch.
2) Any device connected to the internet or communicating with other devices is a two way street. For you, it's a gateway to the world, for someone else it's a gateway to your world. If it can't be switched off, it's evil.
3) There really is no point in spilling all of your life and data on the internet. Nobody is interested anyway, except those that stand to make a profit or use it against you. This may become clear some day when HR stumbles over a Facebook picture of you snorting cocaine, or when you're refused a government clearance over a comment you posted on www.schneier.com .
I think herein lies a challenge for all of us. To create awareness and educate others on smart usage of internet age technologies so they can be used for us, not against us.
I dont think youll have to wait for 2020, all this stuff has already happened
You haven't been paying attention. SmartMeters(™) that allow utility companies to view and control the power use of individual residences *are already being installed by government fiat* in northern California. This isn't the future that Clive is talking about, it's now.
PG&E want the ability to track and bill for power use by the hour, and to turn down/off the consumption of power by anyone they deem to be "over consuming" in times of increased power demand. They are installing meters that will let them do it. There's not a damn thing you or anyone else can do to stop it (they pay their politicians well apparently).
ok, so we went from
- The original article talking about the "internet of things" a general statement that more and more things will communicate via IP
- my (perhaps not ALL encompassing, as I didnt address the ONE thing that gets installed on your house that you dont have a purchase choice on) response that smart appliances have been around for a while, and I'm not about to pay extra for them, so I dont see wide spread implementation of them in the future.
- Clives (actually, now that I think about it, very off topic) response to my post (which was clearly aimed at so called "smart appliances" that allow access via an HMI from any location) regarding security on "smart meters" and "smart environment control" (heaters and air cons)" being a "nightmare", presumably we would see a rush of illicit activity on our water heater monitoring systems unless one time pads were used in the transmission of energy usage statistics back to the mother ship .
- my response (admittedly aimed at his "smart environment control (heaters and air conditioners, not the smart meters portion) , indicating that govt control over efficiency/emmissions wouldnt be enforced with gov't monitored sensors, rather it would be levied on the mfg, as car emmisions and energy star ratings are currently done.
so, you could correctly argue that I addressed only 1/2 of Clives post and I failed to recognize Clive's right angle off into gov't conspiracy land.. I should have known better.
So, ok. Let us examine the latest dire threat to your civil liberties, the govt sinister plot to ever erode your rugged individualism via knowing when you blow dry your hair in the morning. As you can see from below, there are no evil intentions here. They want better granularity on billing, they want to reward people that are using electricity off peak, and penalize (via higher pricing) those that arent. In case you were unaware, CA faces some really DIRE energy consumption issues, and they are merely attempting to address that situation.
On July 20, 2006, California's energy regulators approved a program to roll out conventional meters retrofit with communications co-processor electronics to 9 million gas and electric household customers in the Northern California territory of Pacific Gas and Electric (PG&E). These meters report electricity consumption on an hourly basis. This enables PG&E to set pricing that varies by season and time of the day, rewarding customers who shift energy use to off-peak periods. The peak pricing program will start out on a voluntary basis, and the full rollout is expected to take five years.
" I think you're seriously underestimating the move to appliances. I already spend the majority of my game-playing time with my iPhone and DS, and the rest is mostly MMORPGs"
point taken, but custom HW for gaming systems has been around for decades (remember atari), it certainly has erroded PC gaming systems more in the past 10 years due primarily to graphics capability, but PC is still here for people that cant afford the Wiis..
"You can run Microsoft Word on an appliance. "
agreed, but you'll always want a standard size keyboard and a big monitor when it comes to homework and office work, then you're back to good old PC.
Another point, one might argue that gaming systems would displace a lot of home PCs, but most of the sub $1,000 PC market is business, and that is never going to get displaced..
Just an attribution note, Bruce -- as Cory has said in his essays about the concept that all complex ecosystems have parasites, he got the line from Kathryn Myronuk (my partner) who had it has her signature for a long time.
Just a nitpick. You say "In 2020—10 years from now—Moore’s Law predicts that computers will be 100 times more powerful." -- that's incorrect. Actually they will be 26.3 times as powerful. To get a factor of 100 you need 14.5 years.
The actual price-performance doubling time is 2.19 years according to careful research by Heebyung Koh and Christopher Magee at MIT. They give annual performance per unit cost growth rates of 37.3% (+/- 4.7) for computation, 26.8% (+/- 4.9) for storage, and 33.3% (+/- 4.3) for communication bandwidth, which translates (ignoring the error bars) into doubling times of 2.19, 2.92, and 2.41 years, respectively.
So, using 2.19 as the doubling time, in 10 years computing power will increase 23.6 times (18.5 for storage, 21.53 for communication bandwidth). To get a factor of 100 you need 14.5 years (19.4 for storage, 16.0 for communication bandwidth).
You are doing it again with your reply to Miara.
You are making incorect claims about what I have said and not said.
Go back and read my comments again.
I find it most interesting to ponder:
How many of us will inadvertently becomes criminals, in the eyes of the business world, just because we choose to bypass the spam they want to feed us or the protect the data they wish to create.
Imagine this concept of unacceptable behavior is actually codified in criminal law. We could have a world where refusing to run scripts (using "no-Script") and refusing to receive adds, (Add_Block) or similar was considered criminal "theft of service" (a felony). Now don't laugh too hard because I've already seen EULA's that basically create this as a condition of use...
What about if I choose to always protect my identity by using TOR, or similar, can that somehow constitute a crime, Google probably thinks so.
How about simple things like protecting myself from being tracked. I've personally worked on systems that tracks store RFID cards and generates cash register receipt discounts, for items that users have viewed but not purchased. Am I bound by some crazy EULA that requires me to permit this tracking? what about when the EULA was stamped on the packaging the card came in, which I threw away...
How symmetric is that right to collect data, Does the individual have the same rights as an established businesses? Do I have the right to spoof their data collection system? How about if I send data back to say I stood In from of every item in the store for 10min, all in the space of a 15 min visit? Is it fraud when I get repeated discounts?
If the data on a Customer Loyalty card is encrypted do I as the bearer of the card have any right to know what is stored on the card. What about a world where my card talks to other appliances, who's information is that...
As always, very interesting article. I agree with most of your predictions, except for the one on 'growth in specialized applications'.
I don't necessarily agree with this one. The gap between specialized applications and web sites is closing even now (Microsoft, Apple, and open source are all pushing HTML5). IMO, web sites will change to 'applications for the web platform'. In which the web platform is a generic platform.
Writing N 'specialized apps' for N different platforms, IMO that's a thing of the past, in the same way as the operating system is moving to the background.
In paragraph 16 you used the word "deconsumerization". Did you mean "decustomerization"? Just to get the terms right.
"As computers become smaller and cheaper, this trend will only continue. It'll be easier to use special-purpose hardware and software. And companies, wanting more control over their users’ experience, will push this trend."
Actually Bruce, I sorta see things moving in the opposite direction. While most people think of the Intel Atom as a netbook chip, my Viliv S5(http://www.myviliv.com/eng/product/s5.asp) UMPC ships with an Atom Z520 that I've managed to overclock to 2ghz, and I still get a good 7 hours of battery life with only ~2.5w TDP. And, ARM has the multi-gigahertz Quad-core Cortex-A15(http://www.arm.com/products/processors/cortex-a/cortex-a15.php?tab=Performance) slated for mobile devices(such as phones).
What we're starting to see is the industry starting to deliver true low-power(TDP) performance capabilities in device that fit in the palm of your hand, or the back of your pocket. Noone wants to carry around 5 different devices to do 5 different things, they want to carry 1 device that does 5 things. I suspect we will either start seeing SmartPhones turn in to general-purpose computing devices(we're already seeing this), or we're going to see already general-purpose UMPCs shipping with voice-enabled 3G/4G modems, polishing the devices as true "do everything" machines.
Eventually, people are going to get fed up with the hermetically sealed product/service model, and are going to demand products that allow the freedom to do as they wish.
I also don't see "Cloud Computing" lasting too long because it's being pushed for the wrong applications. As an example, Amazon's elastic computing cloud makes sense because it allows you to grow/shrink your infrastructure with demand, on demand, increasing the ROI of IT budget allocations.
However, things like ChromeOS don't make sense and I feel are destined to fail. Consumer broadband connections are slow, making storing large things in the cloud painful. Ontop of this, you get no option for backing up your content and Google will /never/ accept liability for dataloss - they don't even reliably maintain data integrity in their hosted gmail service aimed at SMB. "Cloud" solutions(I HATE the word cloud) have their place sometimes, but they're being pushed in all the wrong arenas. I also feel eventually people and businesses will realize that cloud solutions are even more of a lock-in than the choice of appliance vendor/hardware vendor/wholesaler/OS/whatever.
And it must be said, eventually the house of cards that is "cloud security/availability" will fail in a very bad way, putting just one more nail in the coffin. Here's looking forward to a torrent of leaked EC2 and ChromeOS instances.
"What we're starting to see is the industry starting to deliver true low-power(TDP) performance capabilities in device that fit in the palm of your hand, or the back of your pocket. Noone wants to carry around 5 different devices to do 5 different things, they want to carry 1 device that does 5 things. I suspect we will either start seeing SmartPhones turn in to general-purpose computing devices(we're already seeing this), or we're going to see already general-purpose UMPCs shipping with voice-enabled 3G/4G modems, polishing the devices as true "do everything" machines. polishing the devices as true "do everything machines Eventually""
There is a fly in the ointment to this that most don't consider and that is radio communications.
It is not a great secret that what scares not just the service providers but the regulators as well is "Software Defined Radio" and the as yet ill defined Ultra Wideband (like Spread Spectrum on steroids).
They are used to seeing the radio spectrum sliced by frequency and to a limited extent time and that is the way it has been done untill recently. However Spread Spectrum Systems showed back in the 1950's that Code Division was possible and in many cases more efficient in terms of the number of users and data rate in any given block of the radio spectrum. Ultra Wideband takes this a step further.
What however has kept the old order of spectrum regulation in place has been the "type aprovals process". Well Software Defined Radio chucks this out of the window by effectivly using high end DSP techniques whereby a computer chip does the bulk of the heavy lift in putting data in a form suitable for transmission and reception.
As far as the licencing authoraties are concerned the chinese curse has come true and they are living in interesting times.
Thanks for fixing "decustomerization".
Now can you fix..
I think you did a copy/past from a PDF file with heavy kerning...
"The gap between specialized applications and web sites is closing even now (Microsoft, Apple, and open source are all pushing HTML5).
True and false at the same time, you have to look at all applications as three different parts.
As you say,
"IMO, web sites will change to 'applications for the web platform'. In which the web platform is a generic platform."
This is definatly happening but... the human interface is not the whole application just a part of it.
Thus when you say,
"Writing N 'specialized apps' for N different platforms, IMO that's a thing of the past, in the same way as the operating system is moving to the background"
Is not compleatly true.
We see some programs being put into generic languages that will run on multiple platforms but these are mainly "data entry" type programes such as word processors, spread sheets etc. They consist of a Human interface at the front end a data storage back end and importantly in their case a limited and very generic data manipulation engine.
A large number of programs don't have either a generic or limited data manipulation engine. And this is where there will be "custom programing" for the foreseable future.
But the question is how custom...
There are various data manipulation engines available today that have their own programing language (Spice, MathsLab, SQL, etc). These are and will make vertical application markets broaden out, but they will require real grunt that won't be available in a conveniant off site form.
Then there are all the applications where humans are not the data entry source through to Real Time Systems hidden away in your "white goods" through the ABS and engine managment systems in your cars to those in aircraft, space craft, rockets, missiles and other advanced technology and (unfortunatly) weapons.
I believe your aluminum foil skull cap has slipped down, obscusring your view of the monitor. Please adjust as neccessary.
@ Robert T,
"Imagine this concept of unacceptable behavior is actually codified in criminal law"
In essence the law always has been about "unacceptable behavior". But in past times unacceptable was deffined by people who felt it was what society wanted.
However the past hundred years has seen that change with few exceptions the law has been slowly turned into a protection racket by vested interests with an easy hand on the dollar.
The reason, most of our law makers either lack critical reasoning skills and the required level of knowledge or are simply horse trading for their own gain which might well be because one or more are on the the take either directly or indirectly as are their political parties.
I have been suggesting for some time that part of the problem is the legislators have time on their hands and an overwhelming desire to justify their existance.
This makes them a natural match for those who have the resources to provide them with ready made ideas for legislation etc.
One partial cure for this ill is to require all legislation without exception to have sunset clauses where the law has to be reviewed on a regular basis. This gives the legislators something to do, but more importantly it alows bad laws put in for wrong reasons to be more easily highlited and struck down, simply because they would have to be re-affirmed in the knowledge that they where bad which would not be in a legislators best interests.
We are the Borg. Resistance is futile. You will be assimilated.
Yup, laws ought to have sunset provisions. First I heard that idea was from R Heinlein -- anybody have an earlier reference?
But RH also had what would have been a better idea (now far harder to implement). Disallow voting for those who take more from the government than they give....now that would really rock the world. The thing is, there are now so many hidden subsidies, and so much "political correctness" that anything that smacks of being actually fair will be decried as unfair, loudly.
You are not thinking like a security researcher. You are unthinking like a common Consumer.
There's an old saying: "Any power that can be abused will be abused."
PG&E, police, and local, state and federal government will all abuse the power they get from hourly monitoring of electricity usage. They can't help it. It's For Your Own Good.
Look at the E Z Pass electronic toll collection system. It's already been abused by police and government authorities in ways those authorities swore it would never be used. What makes you think so-called "smart meters" will be any different?
I am talking as a person who has not embraced the libertarian, anti-government philosophy. True.
That doesnt have anything to do with security however..
Libertarian or not, government involvement IS a security concern. Government actions can directly and indirectly violate an entity's security policy. Their actions can also make one vulnerable to non-gov attackers.
Its actually simpler than that: security is about preventing losses due to malicious activity. Governments (and their employees) can cause losses via malice and incompetence. Hence, government is a security concern for wise defenders.
Just ask anyone who lost assets because they had tor running or the fbi seized a bunch of computers at a shared hosting company to look at just one client. These things gave happened. If gov.t had been considered a risk, these could have been mitigated.
A security system that can keep a duly authorized organization from executing a warrant, approved by an officer of the US Judicial system, in pursuit of a criminal investigation.
In other words, a security system that can obstruct justice..
Interesting thought, I guess...
It's doable without obstruction of justice. It's a matter of indirection and apparent intent. Here's a few examples.
1. Seizure of physical server housing multiple clients' VM's. One is guilty, FBI wants physical machine for analysis, and innocent businesses loose their uptime, maybe go out of business (this has happened). Preventative measure: backup VM in a different area with different kind of customer base. That's common for preventing losses due to disaster, but can also prevent collateral damage from government as well.
2. Logs that expire after a period of time and are written to a volatile or encrypted medium. In other words, the logs are definitely gone. Same could be said for session information. It's kept for a certain period of time, then thoroughly removed. Ensuring privacy is legal. The government could grab whatever is still in storage, but they loose the rest.
3. Stateless or privacy-preserving protocols that take steps to anonymize user content. The amount of data produced is inherently low.
4. Incorporating and hosting in certain foreign countries can stop many civil suits from grabbing data and may slow or stop law enforcement, depending on the case.
5. Having trusted foreigners in a country non-friendly to one's government own and run the systems the business uses, leasing the functionality to the American company, can also reduce law enforcement's effectiveness. In a place like China, this doesn't cost as much extra as it may seem. The risk of loss to the offshore group is higher, but manageable.
So, there are numerous constructs that reduce the power of government over one's data or IT operations, while not being illegal. So long as the company cooperates when mandated to the best of their ability, they are complying with the law. (This doesn't count things like HIPPA.) The trick is reducing the ability to comply in a way that maintains security. It's not illegal: just frowned upon.
Bruce, you may want to come up with another term for depersonization, since depersonalization (almost the same word) is a rather nasty mental illness, a dissociative disorder.
> There's an old saying: "Any power that can be abused will be abused."
"The central problem — how to prevent power from being abused — remains unsolved. . . ‘If men would behave decently the world would be decent’ is not such a platitude as it sounds."
"Charles Dickens" (1939)
Lets look at the meaning of the word Parasite:
Biology- An organism that grows, feeds, and is sheltered on or in a different organism while contributing nothing to the survival of its host.
(not 100% right - leeches can help with certain diseases i.e. Asthma)
1. One who habitually takes advantage of the generosity of others without making any useful return. (picture your favourite corporate logo)
2. One who lives off and flatters the rich; a sycophant. ( now picture how their marketing looks at you)
A professional dinner guest, especially in ancient Greece. ( no comment )
Now think of Stuxnet. Bionic isn´t it.
Great article that, it leaves you with the questions if parasitism will be seen more on the big scale (security to keep you out if you´re no customer i.e. not adhering to required standards) or the small scale ( people tweaking their way around security measures to feel ok)
Let´s wait and see. I put 50 cents on the people.
My thoughts on 2020:
Security died a spectacular death within those ten years. Morales about privacy changed, and so did people. This generation doesn't value privacy, and this continued to erode to the point where complete transparency was the new convention. Pads, tablets and hubs became billboards and displays of the new human, our lives became fully synthesized. We finally came to realize that security and privacy was made of baked air, sold by the pound. We truly woke up from a superior mirage, called security. There is nothing to lose, if you don't own it.
@Sasha van den Heetkamp
"This generation doesn't value privacy"
I agree. Take a look at how many people are willing to post nude/p0rn0graphic photos/videos of themselves on the internet or sext them to others. And how popular some voyeristic "reality" TV programs are. As time goes by this may just get a bit worse.
Actually looking at news articles like this one can see that USA still has a comparatively strong rule of law (compared to places like Soviet Union, for example)
Judge orders feds to pay $2.5M in wiretapping case
I guess I'll start trusting the colud when Microsoft keeps it's data in Googles cloud, Google keeps it's data in Facebooks cloud and Apple keeps it's data in Microsofts cloud.
I wish Schneier book would address issues in this very important article.
And these SMART meters, max on exploits, bad airs for security.
How about watching a film, The Matrix?
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.