Real-World Security and the Internet of Things

Disaster stories involving the Internet of Things are all the rage. They feature cars (both driven and driverless), the power grid, dams, and tunnel ventilation systems. A particularly vivid and realistic one, near-future fiction published last month in New York Magazine, described a cyberattack on New York that involved hacking of cars, the water system, hospitals, elevators, and the power grid. In these stories, thousands of people die. Chaos ensues. While some of these scenarios overhype the mass destruction, the individual risks are all real. And traditional computer and network security isn’t prepared to deal with them.

Classic information security is a triad: confidentiality, integrity, and availability. You’ll see it called “CIA,” which admittedly is confusing in the context of national security. But basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

So far, Internet threats have largely been about confidentiality. These can be expensive; one survey estimated that data breaches cost an average of $3.8 million each. They can be embarrassing, as in the theft of celebrity photos from Apple’s iCloud in 2014 or the Ashley Madison breach in 2015. They can be damaging, as when the government of North Korea stole tens of thousands of internal documents from Sony or when hackers stole data about 83 million customer accounts from JPMorgan Chase, both in 2014. They can even affect national security, as in the case of the Office of Personnel Management data breach by—presumptively—China in 2015.

On the Internet of Things, integrity and availability threats are much worse than confidentiality threats. It’s one thing if your smart door lock can be eavesdropped upon to know who is home. It’s another thing entirely if it can be hacked to allow a burglar to open the door—or prevent you from opening your door. A hacker who can deny you control of your car, or take over control, is much more dangerous than one who can eavesdrop on your conversations or track your car’s location.

With the advent of the Internet of Things and cyber-physical systems in general, we’ve given the Internet hands and feet: the ability to directly affect the physical world. What used to be attacks against data and information have become attacks against flesh, steel, and concrete.

Today’s threats include hackers crashing airplanes by hacking into computer networks, and remotely disabling cars, either when they’re turned off and parked or while they’re speeding down the highway. We’re worried about manipulated counts from electronic voting machines, frozen water pipes through hacked thermostats, and remote murder through hacked medical devices. The possibilities are pretty literally endless. The Internet of Things will allow for attacks we can’t even imagine.

The increased risks come from three things: software control of systems, interconnections between systems, and automatic or autonomous systems. Let’s look at them in turn:

Software Control. The Internet of Things is a result of everything turning into a computer. This gives us enormous power and flexibility, but it brings insecurities with it as well. As more things come under software control, they become vulnerable to all the attacks we’ve seen against computers. But because many of these things are both inexpensive and long-lasting, many of the patch and update systems that work with computers and smartphones won’t work. Right now, the only way to patch most home routers is to throw them away and buy new ones. And the security that comes from replacing your computer and phone every few years won’t work with your refrigerator and thermostat: on the average, you replace the former every 15 years, and the latter approximately never. A recent Princeton survey found 500,000 insecure devices on the Internet. That number is about to explode.

Interconnections. As these systems become interconnected, vulnerabilities in one lead to attacks against others. Already we’ve seen Gmail accounts compromised through vulnerabilities in Samsung smart refrigerators, hospital IT networks compromised through vulnerabilities in medical devices, and Target Corporation hacked through a vulnerability in its HVAC system. Systems are filled with externalities that affect other systems in unforeseen and potentially harmful ways. What might seem benign to the designers of a particular system becomes harmful when it’s combined with some other system. Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The Internet of Things will make exploitable vulnerabilities much more common. It’s simple mathematics. If 100 systems are all interacting with each other, that’s about 5,000 interactions and 5,000 potential vulnerabilities resulting from those interactions. If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting, but some of them will be very damaging.

Autonomy. Increasingly, our computer systems are autonomous. They buy and sell stocks, turn the furnace on and off, regulate electricity flow through the grid, and—in the case of driverless cars—automatically pilot multi-ton vehicles to their destinations. Autonomy is great for all sorts of reasons, but from a security perspective it means that the effects of attacks can take effect immediately, automatically, and ubiquitously. The more we remove humans from the loop, faster attacks can do their damage and the more we lose our ability to rely on actual smarts to notice something is wrong before it’s too late.

We’re building systems that are increasingly powerful, and increasingly useful. The necessary side effect is that they are increasingly dangerous. A single vulnerability forced Chrysler to recall 1.4 million vehicles in 2015. We’re used to computers being attacked at scale—think of the large-scale virus infections from the last decade—but we’re not prepared for this happening to everything else in our world.

Governments are taking notice. Last year, both Director of National Intelligence James Clapper and NSA Director Mike Rogers testified before Congress, warning of these threats. They both believe we’re vulnerable.

This is how it was phrased in the DNI’s 2015 Worldwide Threat Assessment: “Most of the public discussion regarding cyber threats has focused on the confidentiality and availability of information; cyber espionage undermines confidentiality, whereas denial-of-service operations and data-deletion attacks undermine availability. In the future, however, we might also see more cyber operations that will change or manipulate electronic information in order to compromise its integrity (i.e. accuracy and reliability) instead of deleting it or disrupting access to it. Decision-making by senior government officials (civilian and military), corporate executives, investors, or others will be impaired if they cannot trust the information they are receiving.”

The DNI 2016 threat assessment included something similar: “Future cyber operations will almost certainly include an increased emphasis on changing or manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decision making, reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI—in settings such as public utilities and healthcare—will only exacerbate these potential effects.”

Security engineers are working on technologies that can mitigate much of this risk, but many solutions won’t be deployed without government involvement. This is not something that the market can solve. Like data privacy, the risks and solutions are too technical for most people and organizations to understand; companies are motivated to hide the insecurity of their own systems from their customers, their users, and the public; the interconnections can make it impossible to connect data breaches with resultant harms; and the interests of the companies often don’t match the interests of the people.

Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks. And while the White House Cybersecurity National Action Plan says some of the right things, it doesn’t nearly go far enough, because so many of us are phobic of any government-led solution to anything.

The next president will probably be forced to deal with a large-scale Internet disaster that kills multiple people. I hope he or she responds with both the recognition of what government can do that industry can’t, and the political will to make it happen.

This essay previously appeared on Vice Motherboard.

BoingBoing post.

EDITED TO ADD (8/11): An essay that agrees with me.

Posted on July 28, 2016 at 5:51 AM83 Comments


Alex July 28, 2016 6:38 AM

“Governments need to play a larger role”

Why? They are the problem, and one has to ask ones self, how did we get to the point where the “Internet” can cause a major disaster?

Somebody Anon July 28, 2016 6:55 AM

Not everything needs to be connected on to the internet. “For a person who only has a hammer, every problem looks like a nail”.

Doug July 28, 2016 7:09 AM

“Governments need to play a larger role”

Not subverting security standards or introducing backdoors in consumer-grade products would be a positive start. There’s a reason my 12 year old son can hack e-mail accounts: plenty of parties within LEA, the government, and the advertising industry have spent the last few decades making sure they remain vulnerable.

Joachim July 28, 2016 7:14 AM

Governments need to play a larger role: setting standards, policing compliance, and implementing solutions across companies and networks.

Let’s hope legislation looks into how some of these companies blatantly ignore the disclosure of vuln researchers. Take BellaBeat for example. They produce fitness trackers for women measuring menstrual, fertility cycles (among others). They advertise in Vogue and market themselves as a fashion accessory.

I’m picking on them because they were audited before with damaging reports[0], but ignored the damaging findings. They insist they don’t have any security or privacy problem pointing people to their ToS[1]. Arrogance prevails with most such vendors.


As long as vuln researchers struggle in being taken serious or even harassed for disclosing findings it doesn’t look good. In terms of government playing a bigger role, let’s hope priority is in creating a legislation that forces vendors to formerly address findings and take researchers seriously. The alternative is these bugs spilling into the real physical world, people get physically hurt and researchers get punished for doing their job.

Who me July 28, 2016 8:02 AM

It’s unclear to me why the obsession with putting IoT devices on the internet. Seems to me the place to start is control on a secured LAN, if we must do this at all. As for the internet:

OK, I want to open my garage door from a mile away. Aside from the obvious idiocy of doing that over the internet, the surveillance value of knowing this kind of data for corporate/government spies is immense, but also criminals.

I must dredge up the Clapper Light, which might still be around. Clap your hands the light goes on, clap again it goes off. Except sometimes, to most times, it didn’t do either so you are standing there clapping like mad and the damned light won’t do your bidding.

I suspect cheapo junk IoT devices will be about as reliable.

It’s nuts alright.

z July 28, 2016 8:42 AM

We need to educate developers to think like hackers. There’s a disturbing trend among many of the CS students and grads I have seen where they get things working first, add features second, then think about security later (if at all). It’s damn near impossible to lather security on after the fact. It needs to be written from the ground up with the expectation that a lot of bad people will be trying their best to take control of it.

I propose one or more mandatory offensive security courses as part of CS curriculums. Teach students how to exploit stuff. Have them exploit their own and each other’s stuff. Then they will have a better grasp of the dangers and hopefully a better idea of how to write secure code.

Daniel July 28, 2016 9:32 AM

we’ve given the Internet hands and feet:

That is powerful imagery Bruce. In the future you shouldn’t bury that image in the middle of the essay; bring it to the introduction or conclusion where it can make a stronger impression.

Couldn'tPossiblyComment July 28, 2016 9:36 AM

Seems like one significant problem is that we have no control of range on the Internet. There was a time where at least a hack of, say, a wireless car key, had to be within a certain range.

It would be lovely to have protocols or communication systems that weren’t necessarily Internet-enabled, or the key infrastructure controls required local input. Oh wait, we do, they’re called LANs (and the SCADA equivalents) and air-gapped systems. Maybe there are ways to make Internet-enabled systems only deal with ‘local’ connections, but I’d imagine that it’s all far too easy to spoof. I’d be far happier with an Internet of Things where the Things have command and control (essentially, write access) only available in certain locations, but if we could solve that, we’d probably have solved all sorts of problems already…

I couldn’t agree more with z – the vast majority of developers are utterly clueless about security, aren’t motivated to care, and have no interest to develop secure systems, because it provides no additional funding.

I do think that legislation has a role to play, as it always has if only our various governments could look up from being able to spy on everyone for a moment. Mandating that IOT devices meet standards is a valuable legal framework that we have in every other sphere of engineering (consider safety standards on medical equipment). Lacking that makes IOT a wild west, and we know what happens when cowboy engineers handle devices that have significant safety implications.

The problem seems to be that most legislation is built to protect the lobbyists, i.e. ‘don’t steal our invention, don’t reverse-engineer our stuff, don’t expose vulnerabilities that damage our stock price’. With that in play, I have little faith governments will do anything until there is a disaster, but then, that’s how most safety standards came about – people died.

ianf July 28, 2016 10:01 AM

It is unclear to @Who me why the obsession with putting IoT devices on the internet.

What obsession. Greed isn’t enough? Stupidity and hunger of hardware and services providers to have a presence on “the social media”?

Personal experience: about 5 years ago I was asked by a management consulting firm tasked with upgrading a public utility’s web presence for an opinion on how to formulate the text in their proposed new “I just signed a NNN/year utility bill with BRAND” social media buttons on the updated web pages. Who do you imagine will be willing to post that, I asked in return. Why, you and I, everybody. I suggested shortening the text to “I pay NNN/ year. Check your bill, then call BRAND,” but warned them that, unless they added some reward incentive, the response rate would be nil to infinitesimal. They didn’t fancy my lack of enthusiasm, contact ended there.

Now and then I look for instances of these like buttons on Twitter, there is perhaps a couple/ month, wouldn’t surprise me if from prospective/new employees who were shown the buttons as part of their orientation tour by the HR people. They serve several million people, sign/ update ~200k individual contracts per month. I didn’t check their likes on Fuckfacebook, not for free anyway.

    (Also, my parallel suggestion that, instead of having new customers fill in address etc before giving an cost estimate, the server should decode the IP geo-location AND automagically present a
    Median kW price near you is NN, our competitors charge from 2.5% more [press here to change address]

dialog, was not heeded. I suspect not even breached to the client because then the consultancy firm would have to redo the web pages anew.)

SoWhatDidYouExpect July 28, 2016 10:16 AM

In a nutshell, don’t install or use IoT devices. In particular, those that control things in your home (furnace, garage door, entry doors, etc.)

There will come a time when suppliers will attempt to force such contraptions into homes. In particular, new home construction will already be equipped. New cars are already equipped (I recently purchased a used car but chose one old enough to not have in-car electronic playground; I know how to drive from point A to point B – my car should not be a road tracking device).

Think about that car thing for a moment: vehicles that do not use taxable fuel will soon face paying road use taxes based on the electronic tracking that is already installed. It takes a law change in many places but that hardly seems a barrier.

Speaking of law changes, expect the same to occur for your utilities and other in-home services, with the intention to facilitate profiling your usage and selling the data to interested parties (or being forced to give it to the guvmint).

John July 28, 2016 10:21 AM

Z: “I propose one or more mandatory offensive security courses as part of CS curriculums.”

This, I’d take it further and require one per semester. Way too many knuckleheads in devops.

Mike Barno July 28, 2016 11:04 AM

While one can certainly question the brief conclusions, the core content of this article does a good job of explaining the problems, and making them clear so two groups of people can understand:

1) People who dismiss every tech-security concern with a blithe view “I have nothing to hide, so why should I care?”

2) People who find anything technological to be too complex for understanding, so they turn their attention to topics they know better.

The concerns under discussion will soon affect every politician, every business executive, and eventually every average Joe. In many cases they already have effects that simply aren’t recognized, so people don’t make conscious choices using sensible planning.

Henry's Rollin July 28, 2016 11:09 AM


I don’t think you’re going to retrain the vast majority of easy money graduates to think like partially self taught hobbyists.

Curiosity is a driving force and it cannot be taught, people can be taught to ask questions but if they’re not curious they won’t dig very long.


I completely agree.


“If 300 systems are all interacting with each other, that’s 45,000 interactions. 1,000 systems: 12.5 million interactions. Most of them will be benign or uninteresting,”

What concerns me, is the sheer amount of cover available in that scenario. Are we prepared to listen to and parse 1000 different proprietary protocols? If and when something is ‘turned’, will we see it in all that noise? It’s the difference between your teen-ager having a small get together at your house or a full fledged rock concert with Gwar.

Are you ready for Gwar?

ZR July 28, 2016 11:21 AM

What concerns me most regarding security in this age is that the adoption of IoT and cloud-based (as much as I hate the term) technologies have risen simultaneously. Not only is my thermostat connected to my home network, it’s also connected to a central node owned by the manufacturer, along with the other millions of other thermostats sold by that company. Now, take (almost) every other IoT device in your home and apply the same concept – that’s a lot of fronts defend at once. Furthermore, what used to be a tedious and piecemeal task of stealing peoples information, one house at a time, as been conveniently located to a centralized one-stop-shop for hackers.

I’ve felt strongly for a while now, that common practice needs to shift back towards the center of the spectrum – to a semi-centralized, semi-localized way of organizing systems and data. We need improved security in each home, for our devices to operate with “CIA” and I think many of us would prefer to hold certain information about ourselves on our own premises and return to truly “owning” our data. In the process, the physical dispersion networks and data will only help improve security and deter threats (risk/reward less enticing).

Systems will always have to update, and connections to centralized hubs, of course, can’t be completely avoided. But I think the fewer dependencies, the better. As noted above, computers have become much cheaper – I don’t think a secure, vpn-equipped home server in each home is unrealistic or unreasonable.

John July 28, 2016 12:11 PM

Systems will always have to update

Ehm, no?

Bought a new TV before xmas – just a display device, mind you, since the TV offerings aren’t worth much to me. The damn thing insisted on an internet connection to get to any useful state.

Again: Ehm, no? Here’s a wifi network for you, dear display. Better hurry since it will cease to exist 5 minutes from now.

I’ve not had it hooked up to any network since, and haven’t seen anything that doesn’t work so far. I’m sure I’m missing out on some cool new features in those part of the thing I’m not using anyway. Eat me.

JdL July 28, 2016 12:16 PM

Governments need to play a larger role

Those entities filled with law-breaking psychopaths who have led the way in criminal spying of American citizens: THAT’S who you want to play a larger role? I spend my security efforts to protect myself FROM the government, not to partner with them.

Robert R. Fenichel July 28, 2016 12:24 PM

There is a calculation error in the post. There are N^2/2 first-order interactions among N objects,so for N=1000 there are 0.5 million interactions, not 12.5 million.

Peter Gerdes July 28, 2016 12:33 PM

What is the real threat with adding all these internet of things to the network?

1) The threat posed by bland control/information systems being used as an attack surface.

2) The threat posed by critical control systems.

2 will get lots of attention and have serious resources devoted to it. Pacemakers and cars may have problems but they aren’t in quite the same category of thermostats you mentioned above.

Can’t we deal with 1 by creating hardware specifically for these systems that provides only a very limited ability to customize network communication. If we don’t even give thermostats and refrigerators the ability to craft or decode general packets (maybe even force them to link-level only with a local server) they can’t spy or present an attack surface without concurrent flaws in a general purpose (but upgradeable) computer.

Seems to me there are probably good solutions here that aren’t even expensive but may require a great deal of coordination.

K.S. July 28, 2016 1:16 PM

Markets failed to protect consumers because consumers don’t have sufficient knowledge to understand the problem and prioritize secure solutions. We could attempt to educate or legislate.

Dave Sill July 28, 2016 1:16 PM

“This is not something that the market can solve.”

I think it’s something the market HAS to solve. If the non-government entity UL can handle electrical device safety testing and certification, why couldn’t they or someone else do the same thing for IoT security?

targetdrone July 28, 2016 1:27 PM

Not installing IoT devices in your home may be fine for some people, but the savings, convenience, and energy conservation are far too great for that to apply to everyone. Instead of throwing away this great opportunity, we need people willing to take the risks so that we can all learn from their failures. People with IoT door locks are going to risk burglary. Does that mean we shouldn’t have IoT locks, or does that mean that we should learn from failures and figure out how to secure them? So I’m willing to risk it.

We tend to see security as too black and white: because a hacker can remotely open a door, therefore an IoT door lock will instantly generate a burglar on my doorstep like some Pokemon Go creature. The real world isn’t like that, though. I believe that my door lock has been tested by burglars looking for an unlocked house very few times in the 30 years I’ve owned it. So I’ve evaluated my personal risk of having an IoT lock as not-very-high. Why am I not more afraid of getting hacked or socially engineered? Because when the neighbor’s house was burgled, the thieves simply kicked in the door, shattering the frame. The door locking technology was irrelevant. (As a result I strengthened my door frame, but if the thieves want to enter my house they’ll simply break a window.) An IoT lock is just not a high enough risk to panic over.

The value was demonstrated to me again yesterday, when I received an unexpected alert on my phone from my IoT door that it had been opened. I texted my wife, who said she opened it for the dog walker; at the same time, I received a text from the dog walker asking me to open the door because she had forgotten her key. The personalized double messages gave me confidence that it wasn’t a social engineer convincing my wife to open the door, so there was no need to rush home to try to prevent a burglary in progress. In this case, the IoT saved us from wasting gas on a drive home, they saved the dog walker from making a needless trip to get their key, or our dogs suffering because they couldn’t get outside in time.

If you don’t want IoT devices in your life, fine; but don’t tell the rest of us we don’t want them, that we shouldn’t have them, or that we’re stupid for having them. We understand the risks, and made intelligent, informed choices. And so we’re deriving the benefits, while providing data to the world about the risks. You’re welcome.

albert July 28, 2016 2:17 PM

Does anyone really think the the gov’t is going to do anything about IOT ‘security’? Or cyber-security in general? How many major hacks have occurred in this country? How many times do we need to see the evidence, before we take action?

There’ll be a lot of talk, then -maybe- new regulations proposed, which will be watered down by manufacturers.

It’s about assuaging public fears, by acting like they’re doing something. The only thing the LE/IC/Corporatocracy care about is their jobs. That puts everything in perspective. That’s one of the reasons we need bogeymen. If it wasn’t for those damned ________ies, __________ wouldn’t have happened.

It seems to me that we continue to stumble from one crisis to the next; crises that have been predicted years, even decades ago. Is there and endgame?

When porcine excrement rains from the skies….

. .. . .. — ….

Kaylyn July 28, 2016 2:29 PM


I agree that in isolation the door itself being hacked is an unlikely and not very useful attack.

What about the attack surface the door lock provides? If it’s communicating with the Internet, vulnerabilities could be used to get a foothold into your internal network. Rather than the door being compromised, you may have other more important devices on your network compromised via the door lock.

David Leppik July 28, 2016 3:21 PM

This is particularly coming on the heels of news of evidence that Russia is playing sides in the US presidential elections. Far too many US precincts use electronic voting, which is easy to hack and lacks a paper audit.

It’s not hard to imagine that the election might be stolen by nefarious foreign powers.

John July 28, 2016 3:53 PM

@Dave Sill said “I think it’s something the market HAS to solve. If the non-government entity UL can handle electrical device safety testing and certification, why couldn’t they or someone else do the same thing for IoT security?”

Take a look at what Mudge(Peiter Zatko) is trying to setup.

ianf July 28, 2016 3:56 PM

@ David Leppik,

assuming a worst-case scenario, that of a unfriendly foreign power surreptitiously rigging the electronic vote to place a presidential favorite of its own on the American Throne… do you think they could have done worse than the present choice between Pest and Cholera?

As an outsider, the US electoral system (and customs) seem to me to be that badly broken, that, short of a world-apocalyptic event upending the status quo (eruption of that magma volcano under Colorado, say) nothing, N.O.T.H.I.N.G will ever change it for the better.

So what’s the point of worrying about foreign adulterated vote when experience tells us, that a few well-placed Daddy’s friends in high places, a governor-brother in one state + a manageable number of hanging chads, can be as effective a vote-getter, as any unfriendly fraud begetter. IF you understand what I mean, AND of course you do.

Grauhut July 28, 2016 6:21 PM

The more networked device someone uses, the smaller is the chance to have working opsec.

Its a question of attention. The more devices, the less attention resources per device is available and if it gets too much and you have to trust in professionals that can be FISAed you are lost.

Less is more.

Dirk Praet July 28, 2016 7:24 PM

@ Kaylyn, @targetdrone

If it’s communicating with the Internet, vulnerabilities could be used to get a foothold into your internal network.

The nail on the head. This can be mitigated by subnetting, aggressive traffic monitoring, NIDS and strict ingress/egress firewall rules. But I’m afraid such a setup is well beyond the average Joe or Jane, and a maintenance nightmare even for those who are capable of doing it.

@targetdrone has a point that eventually quite some IoT devices will be forced upon us, but that doesn’t change the fact that most of them will be horribly insecure due to the usual race to the bottom and for all practical purposes will need to be treated accordingly.

Anon10 July 28, 2016 8:01 PM

@David Sill,

Most buildings codes require U.L. or equivalent certification, so there is a legal requirement to have certification from some NRTL, at least if you want to be able to sell your products nationally.

Cisco Kidd July 28, 2016 10:11 PM

Internet of Things? “Oooh, look at the nice horsie! Let’s tow it inside our impregnable gates and get drunk!”

Early adopter? Go ahead, pal. Second mouse gets the cheese.

yoshii July 28, 2016 10:47 PM

Thanks so much for this article about the risks of the so-called Internet of Things.
I am really upset by the blind faith promotion of the IOT done by businesses just trying to cash in on it. As someone who has studied some computer science, and some applied computer science, I am just shocked by the ignorant impetus towards chaos.

For all those who are reading between the lines, the above link is also a related concern.
May Peace Prevail on Earth.

Non-Aggression Pact, always.

Some Guy July 28, 2016 10:51 PM

Nearly every successful attack starts at the same attack surfacethe human and then executes the payload by attacking a design flaw. (okay, worms are only a design flaw)

Design flaws can be fixed. Humans can’t.

Unfortunately, the design flaws are created by humans, so we can never achieve perfect security. Resilience to design errors is missing from today’s designs. Elimination of the Internet is too expensive.

At the high end commercial SCADA level, there are typically multiple levels of security to bypass when entering through the Internet including isolated local networks that perform controls. The low end sticks it on their corporate intranet, which is excuseless. Fortunately, this is disappearing, but way too slow. The home IoT will likely never be secured except by the limited number of people with higher end skills

Mark July 29, 2016 12:14 AM

Bruce, why do you put in comments from Clapper and Rogers? They’ve continually lied to Americans and their own government. Intelligence agencies aren’t part of the solution to this problem. They can’t be trusted to secure anything — it’s not in their best interests. We’ve been through this.

Your essay, unfortunately like too much of the world, is far too US centric. Looking to America to solve privacy issues isn’t a winning combination.

Anyway, here’s something of substance from a European perspective. It’s an IoT opinion paper based on the EU Data Protection Directive. It lists concrete recommendations.

Here are a couple of the recommendations:

  • Conduct a privacy impact assessment before releasing a device.
  • Delete raw data from the device as soon as it has been extracted.
  • Follow privacy-by-design and privacy-by-default principles.
  • In a user-friendly way, provide a privacy notice, and obtain consent or offer the right to refuse.
  • Inform users of data that has been collected and enable them to access, review and edit that data before it is transferred.

It’s well worth a read.

Curious July 29, 2016 2:10 AM

I am inclined to think that it would be a good idea to try work out what bias your government have and otherwise might have, when working with regulating the internet of things, to get the best out of this idea of soliciting the government to act.

• A problem with industry lobbying corrupting progress
• A problem with anything so called “national security” corrupting progress
• A problem with lack of focus, maybe corrupted by think tanks that doesn’t work for you

So, I think the most important part is the ways in which one (you) think about achievable goals, so that such goals are not undermined or misunderstood by government efforts, so that you in turn can react to that and press on for needed changes and improvements. Because once the government is allowed to sit there with their own and maybe non-disclosed ulterior motives and, I think there is no knowing what to come out of it if for example politics or economics is free to wildly control an effort at improving things.

I guess the second most important thing by understanding improvements to IoT, is to make concrete, the expectations one ought to have, so that you can actually achieve specific things, and not let the end result remain as some kind of relativistic endeavor with arbitrary results, in which someone would argue that “things are better now than before”, or “things are good enough now”.

This in turn makes me wonder how anything technical is worked out today, for those that work with standards and whatnot.

ianf July 29, 2016 2:57 AM

@ Curious is

    inclined to think that

    it would be a good idea to

    try work out what bias one’s government has

    and otherwise might have

    when regulating the IoT

    to get the best out of this

    idea of soliciting the government

    to act.

Nice poem. Let me still your unease: all any government ever wants is to stay in power as long as it can within the general power-sharing parameters that it once has agreed to, and been entrusted with. That is their sole bias, as you put it, they don’t care about IoT one way or another UNLESS the emergence of it threatens to impact on (or promises to advance) their goals.

Hence a government’s priorities in this, and the population’s that it is a leader of, do not necessarily mesh or overlap. In fact, the IoT concept carries with it a great deal of perverted promise to act as a tool for manipulation of the masses while giving same the impression that it is they that are in control of anything from remote readout of fridge’s temperature to ad-hoc-single-question-referendumbs democracy.

    In fact, the latter ought perhaps to be rebranded “clickocracy,” because that is what it’d amount to.

Miksa July 29, 2016 3:24 AM

The one easy thing that governments can do, is mandate that devices that are capable of connecting to the internet must be able to update themselves automatically without user intervention and the manufacturer must provide the update service for the expected lifetime of the product.

Google OnHub router and Tesla Model S can manage this and we must require this from all products.

Curious July 29, 2016 3:31 AM


I don’t find it convincing when you make a point that there is just one bias, as if the government only want to stay in power. But perhaps that is my fault.

What I meant by referencing “the government”, was the state and its institutions. Maybe I should have been more clear about that. Presumably, the state and its institutions can be said to be a part of government, or the government.

I can imagine that the institutions will be subject to such things as:
• being lazy (not wanting to take things seriously)
• being reckless (not wanting to take things seriously)
• wanting to spend the least amount of money
• wanting to pace regulation that suit their own needs
• having ideas and projects that maybe work against new ideas and new improvements
• being incompetent (not having the qualifications for working out good solutions)
• being nostalgic maybe (think tradition and habits)

ianf July 29, 2016 6:15 AM

@ Curious questions my assertion that […] “government only wants to stay in power

Yes, that is any and all governments’ sole objective, all the others are subordinate and oftentimes what our brothers & sisters the Yanks call “window-dressing.”

    Or do you think that political parties go through the motions of elections to be able to clean up the mess of previous team and in order to set the table for the next one?

Yet that (in a nutshell) is what your way of putting it amounts to; so you either are ignorant or naïve – out of mercy I’ll go for the latter. Your analysis of the workings of “state/ institutions/ government” reminds me of this:


You keep imagining that… the institutions will

• “want to spend the least amount of money

CORRECTION: set up as big a budget as it can get away with, and in the preemptive knowledge that it will be cut. The bigger the budget, the more important an institution must be.

• “want regulations that suit their own needs

CORRECTION: An(y) institution set up to exert control over some domain usually ends up as a lobbyist for its clients there, promotes advance of their needs. That’s how it survives as a branch of government to the next reshuffle. You should read up some political science basics, but self-serving memoirs of Civil Servants[sic!] will do as well. Or simply binge-watch the original “Yes, Minister!” TV series, pay special attention to the machinations of Sir Humphrey Appleby.

• “have ideas/ projects that [no “maybe”] work against new ideas & improvements

RECOMMENDATION: “Parkinson’s Law or The Pursuit of Progress.” If Civil Service mentality is not your bag, you could do worse than to study the bureaucracy-intruding components in e.g. “No Highway” and other books by essentially a gifted aviation engineer-racconteur Nigel Shute (too many to list).

@ Miksa,
               you’re quite right, we need more governmental micro-management in industry, because when we had state-run such, the matters were so much better. Also some of the text on toothpaste tubes is now so small, that I no longer can read it prior to brushing my teeth. Government should mandate minimum acceptable type point size for the obligatory information booklets for any stuff that we’re supposed to insert in our or others’ orifices. More Brussels gravy, and not only on nom-nom Brussels sprouts!

Peter A. July 29, 2016 8:30 AM

A few random thoughts.

  1. [@targetdrone et al.] Geeky freedom of choice. It is perfectly fine to make an informed decision to use some IoT gadget and nobody should be looked down on because of that. But it may not be a perfectly informed decision (think NSA TAO etc.) and at some point the decision won’t be yours. During the last blatant (no warning, sudden power cut) replacement of my electric meter (due to end-of-certification-life) I got another electro-mechanical one. I was lucky the tech grabbed whatever was gathering dust on the shelf at the moment. My neighbor on the other hand got a digital remote-readable-and-whatever one already and nobody asked him for an opinion. Soon this madness will include other utility meters, thermostats (to save the planet! – and the grid owners) and whatnot. Look up Clive Robinson’s extensive comments on “smart” meters. Scary.
  2. [@Who Me, @Could’ntPossiblyComment at al.] Geeky uber-confidence. A knowledgeable person may shield her family from the IoT threats by proper buing decisions, configuration, isolation, safeguards etc. and still benefit from the useful and empowering side of it. But it is an uphill battle. The problem is, as @Grauhut says, attention deficit. I have already refused to buy “smart” phones for my family just because I can’t find time to manage these always-online computers semi-properly, having already several laptops, desktops, routers, DNS server, email server etc. etc. on my head. I’ve dropped jabber server after recent hardware crash & restore just because its another piece to take care of and it was barely used. It’s already a year since I bought a “smart” TV (just because there weren’t any decent “dumb” ones) and I still had no time to set up a media/NAS server and rip all these DVDs as I promised. Kids still keep shuffling and scratching the disks and then complaining 🙂 The TV stays unconnected to the network – I haven’t found time to research and firewall it. No Skype chats or YouTube vids on it, sorry! As I get older and the family grows (in age and number) there WILL be a point at which I’ll just drop all this security “paranoia” and there won’t be anybody to pick it up. Game over. (Well, the little one seems promising but you’ll never know how it plays out in the end.)
  3. [@WhatDidYouExpect, @John et al.] Geeky reclusiveness and DIYness. You can refuse the shiny new things (and even boast about it, in some circles at least) and use the good ol’ stuff you know how to fix or who can fix it for you. Or use the new things, bending them to your will. But there are limits to it. There’s only so much obscure knowledge capacity in your slowly deteriorating brain, so much time and money to spare. At some point it will be prohibitively expensive (with regard to any resource of yours) to acquire, maintain and fix the good ol’ stuff – and to “fix” and re-fix the new stuff. You’ll have to budge some day. I tend to buy new cars: partly because I just like it and can afford it, partly because the used cars market is rife with fraud over here. I have no time to thoroughly X-ray every prospective buy. I will be facing a trilemma soon: buy a used car and risk getting a chimera welded together from three hopelessly crashed ones – or just one with mileage cut in half or worse; buy a new one and dive head first into arcane magic of getting rid of industry-standard or legally mandatory “features”; or buy a new one and live with it. And I fear it’d be the latter. Damn.

To summarize: geeks may be able to protect their personal privacy and dignity and their data confidentiality and integrity to some degree and for quite a time still. But it is already staring to be the game over situation for “regular” people.

How to prevent it? It’s a multi-trillion-dollar question.

r July 29, 2016 9:38 AM

@Curious, ianf

Curious said: “I am inclined to think that it would be a good idea to try work out what bias your government have and otherwise might have, when working with regulating the internet of things, to get the best out of this idea of soliciting the government to act.”

ianf said: “Let me still your unease: all any government ever wants is to stay in power as long as it can within the general power-sharing parameters that it once has agreed to, and been entrusted with. That is their sole bias, as you put it, they don’t care about IoT one way or another UNLESS the emergence of it threatens to impact on (or promises to advance) their goals.”

I saw someone somewhere about these here parts state that this means the government is broken. From a moral standpoint it’s both the market and the government, but from a functional standpoint neither one is. We already have institutions in place to secure our cities and townships, would you like to put them all out of work? A secure home might be a happy home but it wont be a happy officer, happy investigator. Another thing to consider is consumers, if American companies weren’t selling this garbage Chinese ones would be. So the market technically works, sell the crappiest most insecure fad of the day to consumers and trade said companies stock on the floor of Congress. When something bad happens, we have a rounded out portfolio including gun stocks so it’s a win win.

If something major happens? Cut a press release for the people and we’ll ride the wave of glory all the way to the Oval Office.

I posit, that it’s not broken: it’s you (and me).

I don’t remember who called them all sociopathic, but it’s certainly not unreasonable to question their etiquette and goals. They are most definitely suffering from conflicts of interest, unless they’re not even remotely in charge of our security. They’re too busy being self-serving instead of servants of the public. If they want to trade weapon and IoT stocks on the floor they should step down and let a true servant take the lead.

There’s little incentive in fixing things when they are only able to sell cut-throat priced devices in a global market place, we have to cut the throat of other countries to remain competitive in this race to the bottom (unfortunate, but true).

We could strive to be a leader, but as evidenced by their day-trading that is almost certainly not on their minds.

Party lines! Party Lines!

r July 29, 2016 10:26 AM


I am thinking that neither the government or market are broken, that’s it’s us for not jumping on the “who cares” bandwagon. It’s up to us as developers, as security engineers and as IT specialists to make the difference. Sure, there’s minor things that need to be fixed like floor trading, special interests, companies not fixing things fast enough, etc. But all in all I think until the public is burning down D.C. it’s not going to be an issue with the government: the NSA profits, the NRA profits, we “profit” (from cheaper devices and competitive markets?), congress profits, police profit, hospitals profit, the whole medical community profits… The engine runs along just fine until it throws a rod, at which point we fix it. I seriously enjoy being part of the community that tries to envision disasters ahead of time… but come on, even the insurance companies profit from this.

What kind’ve American wouldn’t get all excited about having his 401k stuffed with the bodies of the < 1% ?

Only those who are broken in the eyes of the system[atic] undermining of security and privacy.

r July 29, 2016 10:45 AM


Your comment about (our) government[s] striving to maintain status quo is a good example: when the rod is thrown, we’ll just replace the damaged parts. When was the last time we got a new motor? Even our (my, and others) declaration of independence from you guys (clive, ianf?) was based on existing designs.

So, it’s never and not entirely broken. We could use a tune-up, but there-in lies the problem. Do we drive it until it breaks? Or do we pull into a shop and have them re-hone our cylinders? I’m really under the impression that it’s up to us, the owners (and mechanics) and not the manufacturers to keep these things running safely on the public roads of life.

But, that’s apparently a decision for individual owners to make on a case by case vehicular homicide basis.

Do I risk driving without brakes today?
Do I risk driving without breaks today?

I think that the onus is on us.

yoshii July 30, 2016 12:31 AM

@ “Mark”, some nice insights you made, thanks.

@ Mr Dave Leppik.

I wouldn’t worry about the recent propagandistic spins on the Russian hackers. From THIS site I learned before it was on mainstream news that the hackers were gathering (not stealing, nor sabotaging) information about Trump’s negative and non-desireable characteristics; his weaknesses and defects. This corresponds more realistically with the facts of the hack and the comprehensible curiousity of those beyond the USA. People really want to know, “just how crazy is this guy? how bad can bad get? will this wildcard be a threat?”.

Personally, I am thankful to the non-malevolent hackers for inadvertently revealing the corruption within the DNC that Bernie Sanders was upset about. Corruption can happen anywhere. The FBI is concerned with civic corruption according to their website.

I feel that it’s highly unfortunate that ignorant people are yet again scapegoating governments when the reality of hacking/spoofing/proxies/etc is that it’s extremely difficult to know the true identity and origin of a hack/hacker(s).

And when the identities are known, usually it’s amateurs or semipros or script-kiddies or whatnot. This could’ve been some college kids who just wanted to know more about Trump.

America’s mainstream news really doesn’t tell most of the US population much about anything, there’s a lot of wild speculation and talking heads and celebrity gossip. So foreigners probably really want to know from better sources of what the actual truth is.

They were seeking the facts and they probably could’ve just ASKED the DNC to tell them abou t Trump and get the same facts. But by nature hackers are like prospectors or the Star Ship Enterprise. They just want to go where the data is.

Anyways, I hope this puts you a bit more at ease.
There really are bigger issues and I wish the repetitive scapegoating of Russia, China, etc would discontinue. Statistically speaking, I thought a lot of hacking occurred with origins in the USA and Latin America, and where the WWW data hubs are.

Peace be with you, and yours.
And Peace to you, as well, Russia and China and even you North Korea.
And of course there is no consensus within nations. There’s just too many people to falsely accuse a single entity of “wanting” this or “causing” that, or being at fault for this or that.

It’s too bad the news isn’t broadcasted in the dialect E-Prime.
That might be nice start. And they really ought to cite the exact specifics of who/what/when (in GMT time)/where/why/how and leave out the what-if’s of the talking heads.

WE REALLY NEED TO KEEP THE COLD WAR ENDED. And breeding possibly unfounded suspicions about nations isn’t healthy for international relations.

I’m not accusing you, Dave, just venting in particular.
Allegations are just allegations, but done too much in USA it’s libel or slander.
But we can’t afford to have all this hostility and blame and paranoia spilling out of control.

The hackers didn’t really do a whole lot, and they really aren’t “adversaries” and Russia isn’t an adversary either. Neither is China. We have sister cities and exchanges of all sorts and cultural sharings with both. We have families amongst them and them amongst us.

It’s typically the militaries and sometimes the aristocrats who hold the competitive attitudes or at least seem that way. The masses of people, millions and billions, are not accurately represented.

We have no issues with others trying to live a good life. And they have no issues with us trying to live a good life.

Propaganda is toxic as is gossip.
Again, peace be with you. And thanks to you and anybody reading this.

A Nonny Bunny July 30, 2016 3:01 PM

basically, the three things I can do with your data are steal it (confidentiality), modify it (integrity), or prevent you from getting it (availability).

Seems like there ought to be one more. These seem to be about unauthorized read- and write-access, and preventing legitimate read-access. But you could also prevent my write-access, i.e. denying me the means to fix/update/delete my data.

free July 30, 2016 3:58 PM

“Governments need to play a larger role”

Just in case people haven’t yet figured out what kind of fascist schneier is.

A Nonny Bunny July 31, 2016 4:09 AM


That would be one way to prevent write-access, sure. But so would a breach of confidentiality (if there’s a copy of your data, you’ve also lost control).
But I can imagine there’s also cases where your data is confidential, accessible, and yet you can’t change/delete it (perhaps because it’s append-only).

Dirk Praet July 31, 2016 12:08 PM

@ free

Just in case people haven’t yet figured out what kind of fascist schneier is.

Regulation equals fascism? You do realize deregulation was at the heart of the 2008 financial crisis, do you?

free July 31, 2016 1:20 PM

What I realize Dirk is that you don’t have a clue or worse. The financial crisis was caused by a corrupt and fascist banking system wholly supported by a fascist government. The very same fascist government that schneier cheerleads for.

Dirk Praet July 31, 2016 5:21 PM

@ Free

What I realize Dirk is that you don’t have a clue or worse.

I’m obviously wasting my time here, but for what it’s worth: fascism is a type of radical authoritarianism in which from an economic perspective the government exerts full control over the economy and the financial system. In the US, it’s exactly the other way around, where big corporations and finance control the executive and legislative branches as to avoid any law or regulation that goes against their interests. This system is known as capitalism.

I guess they don’t teach that sort of stuff at Trump University.

free July 31, 2016 6:43 PM

Fascism is a political system characterized by

1) nationalism/jingoism
2) militarism
3) tight cooperation between big business and the state.

The US exhibits those three characteristics, plus others like a cyber police state, high porcentage of religious crazies, ‘lefty’ politically correct totalitarians and more. You know, biggest military in the world and illegal occupying bases in tens of countries must mean something…Highest incarceration rate should give you a clue too.

As to your attemp at redefining capitalism and fascism as synonyms, laughable nonsense.

” Trump University.”

I’ve nothing to do with right-wing american fascists. But perhaps you learned all your political wisdom at obomba’s children droning university?

Back to the topic at hand. People who want an even bigger american ‘regulatory’ police state, like schneier (and you I suppose), want an even bigger fascist state and so – they are fascists.

Anon10 July 31, 2016 8:10 PM


You do realize deregulation was at the heart of the 2008 financial crisis, do you?

This is highly debatable, at least in so far as the US is concerned. Hedge funds(Lehman Brothers and Bear Stearns) weren’t deregulated, so much as they were never regulated to begin with. The GSEs(Fannie Mae and Freddie Mac) were regulated, but the regulations, if anything, were pushing them to make risky loans to low credit rating borrowers, and setting the stage for the financial crisis.

Dirk Praet August 1, 2016 4:19 AM

@ Anon10

This is highly debatable, at least in so far as the US is concerned.

It definitely is, and many a Wall Street backed think tank and study vehemently denied it for quite obvious reasons. It was however one of the key conclusions of the Financial Crisis Inquiry Commission, at least that of the majority report.

Not only did the report accuse financial institutions of greed and ineptitude, it also pointed the finger at severe government failings. Fed chairman Alan Greenspan was hammered for advocating deregulation, citing a “pivotal failure to stem the flow of toxic mortgages” under his leadership as a “prime example” of negligence.

Paulson and Bernanke were criticised for an inconsistent response to the crisis and for mistakingly thinking the subprime collapse could be contained. The 2000 decision under the Clinton administration to shield over-the-counter derivatives from regulation was called “a key turning point in the march toward the financial crisis.”

Dirk Praet August 1, 2016 5:20 AM

@ free

Back to the topic at hand. People who want an even bigger american ‘regulatory’ police state, like schneier (and you I suppose), want an even bigger fascist state and so – they are fascists.

I sense a lot of anger in your comments. May I take it that what you are proposing instead is some sort of utopian anarchist society that somehow magically regulates itself?

ianf August 1, 2016 6:38 AM

@ Dirk Praet
                     senses a lot of anger in @free’s comments.

May I take it that what you are proposing instead is some sort of utopian anarchist society that somehow magically regulates itself?

As do I (sense). For some reason this reminds me of this eye-opening review of the book Spain in Our Hearts, which… in as much as a historical essay based on “collective biographies” of 7 American and 3 British volunteers for the Republic can be trusted, esp. in its depictions of that Anarchist Nirvana in Catalonia 1936-1937, it indeed “ought to supplant Orwell’s POUM-centric Homage to Catalonia as the best introduction to the multi-tiered Civil War there.”

Dirk Praet August 1, 2016 7:33 AM

@ ianf

… in as much as a historical essay based on “collective biographies” of 7 American and 3 British volunteers for the Republic can be trusted, esp. in its depictions of that Anarchist Nirvana in Catalonia 1936-1937 …

The exact experiment I was referring to and I am also familiar with the works of Kropotkin and Bakoenin. I share your skepticism about said testimonials. These days, we see similar stuff from foreign fighters glorifying life in the Islamic Caliphate, so it probably depends on which chair you’re sitting on.

The myth of self-regulating markets and societies is a very persistent one indeed, especially in the US. It’s not the first time on this forum someone goes completely off the deep end when the word regulation comes up.

ianf August 1, 2016 11:07 AM

@ Dirk Praet “shares my skepticism about said testimonials.”

I think you were too fast a draw with the conclusion above… my conditional objection here was whether such a narrow sliver of experiences of Spanish Civil War could be considered foundational for understanding of the whole. The essay’s author seems to be aware of that bias, so that’s an argument in his favour. As for relying on others’ collective biographies of his subjects (I take that to mean traces of named individuals culled from primary sources, incl. autobiographies and memoirs), I am actually inclined to trust an aggregated picture more, than a “genuine” but a single point of view one. Not less because errors and overt embellishments do not usually survive to the next, edited essayist treatment level.

Regarding the Anarchist Nirvana… there is another documented collectivist horror instance of such, the emancipation of day labourers, and simultaneous disenfranchisement of large latifundia in Portugal post the 1974 popular revolution. Look up that episode in “In Europa” by Geert Mak – a iconoclastic, fragmentary history of Europe since 1900, both a 24-part documentary film on DVD, and like named book (I think that at least some of the TV episodes are subtitled in English, no idea why not all. I’ll read the THICK book when I retire, or retire permanently without reading the book, whichever comes first. But you should be able to get hold of this Dutch box set from some library).

Long story short: what used to be the source of oppression by slave wages in populous countryside, is now a looted ruin in a depopulated region. Truly eye opening, too.

free August 1, 2016 2:01 PM

“I sense a lot of anger in your comments.”

Thanks Dirk for finally admiting that you don’t have a leg to stand on, and thus have to resort to ‘psychoanalizing’ your opponent. You obviously ignored my basic explanation of the nature of fascism (and your government) because you realized that your game is over.

I on the other hand again ‘sense’ that you and schneider are nothing but apologists of the american criminal state, and are explicitly calling for it to become bigger. Send my regards to your dear leader, the children murdering obomba.

Dirk Praet August 1, 2016 3:03 PM

@ free

I on the other hand again ‘sense’ that you and schneider are nothing but apologists of the american criminal state

Well, now that we have been so totally exposed I guess @Bruce and myself will just show ourselves out and hand you the keys to the kingdom. They’re on their way to your doorstep by special drone delivery.

ianf August 1, 2016 3:21 PM

@ Dirk,
            be sure to note this @free’s balls the size of M&Ms, and him doing his big-time thinking with them. And BTW congratulations on acquiring a new dear lower case leader.

Out of curiosity, “free,” and be aware that I agree that the USA is very much a state of fascist mentality, how many years have you lived in ANY fascist country that might give you some opinion leg to stand on? Maybe even thought of visiting, oh I don’t know, North Korea? for a fortnight?

free August 1, 2016 4:12 PM

By the way Dirk,

First you wrongly thought I was a trump fascist, and then you concluded that I must be an anarcho commie. You are of course wrong again. Which is hardly surprising since your understanding of political philosophy is very flawed, at best.

” by special drone delivery.”

Funny how you joke about that kind of thing. Then again, a system like the US can only exist if supported by people with no empathy, who think that murdering children is the right price to pay for god-given cheap oil. Have a nice day.

relatively free August 1, 2016 4:43 PM


You may want to know that afaik Dirk is not a U.S. citizen or resident.

Dirk Praet August 1, 2016 5:04 PM

@ free

First you wrongly thought I was a trump fascist, and then you concluded that I must be an anarcho commie.

Actually, neither. The last time I heard a discourse that said “fascism” every five words was from a clueless 19 year-old high school dropout who was equally unable to explain what kind of alternative society he had in mind.

Have a nice day too.

free August 1, 2016 5:37 PM

“I am also familiar with the works of Kropotkin and Bakoenin.”

Isn’t that amazing. Especially considering that you do not even know how to spell “bakunin” Бакунин

Dirk Praet August 1, 2016 6:08 PM

@ free

Especially considering that you do not even know how to spell “bakunin”

Well, some of us actually speak more than one language and inevitably make the occasional spelling error when not writing in their native language. Others don’t even know capital letters are used at the beginning of people’s names in their own language, which seems to be another indication you never finished high school. But I guess spelling rules are some fascist groove thing too, aren’t they?

Anon10 August 1, 2016 6:32 PM


The 2000 decision under the Clinton administration to shield over-the-counter derivatives from regulation was called “a key turning point in the march toward the financial crisis.”

That’s somewhat true, but the CFMA in some ways enshrined the status quo. Up until about 1997-1998, neither the SEC nor the CFTC had tried to regulate the OTC derivatives market as a whole. Then, the SEC and CFTC got into a bureaucratic struggle over whether certain transactions could be defined as futures and hence subject to SEC vs CFTC jurisdiction. Eventually, Congress got involved with the CFMA. Prior to Dodd-Frank and the financial crisis, there really wasn’t a time when the OTC derivatives market was regulated in a meaningful way in the US.

free August 1, 2016 7:22 PM

“some of us actually speak more than one language”

In case you haven’t noticed, english isn’t my first language either. I’ll let you do the math…if you can manage it.

Bakoenin eh? So you are the dutch american propaganda agent in the netherlands? Or perhaps south africa? Congrats. The more you bow to your american masters the more money you’ll ‘make’. Quite the capitalist, are you not.

r August 2, 2016 6:20 PM

@Dirk, ianf,

this ‘free’ agent guy, gives a whole new meaning to the phrase ‘seedy’ doesn’t he?

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.