Daniel Miessler on My Writings about IoT Security

Daniel Miessler criticizes my writings about IoT security:

I know it’s super cool to scream about how IoT is insecure, how it’s dumb to hook up everyday objects like houses and cars and locks to the internet, how bad things can get, and I know it’s fun to be invited to talk about how everything is doom and gloom.

I absolutely respect Bruce Schneier a lot for what he’s contributed to InfoSec, which makes me that much more disappointed with this kind of position from him.

InfoSec is full of those people, and it’s beneath people like Bruce to add their voices to theirs. Everyone paying attention already knows it’s going to be a soup sandwich—a carnival of horrors—a tragedy of mistakes and abuses of trust.

It’s obvious. Not interesting. Not novel. Obvious. But obvious or not, all these things are still going to happen.

I actually agree with everything in his essay. “We should obviously try to minimize the risks, but we don’t do that by trying to shout down the entire enterprise.” Yes, definitely.

I don’t think the IoT must be stopped. I do think that the risks are considerable, and will increase as these systems become more pervasive and susceptible to class breaks. And I’m trying to write a book that will help navigate this. I don’t think I’m the prophet of doom, and don’t want to come across that way. I’ll give the manuscript another read with that in mind.

Posted on January 9, 2018 at 3:26 PM70 Comments


de La Boetie January 9, 2018 4:01 PM

The reason people in InfoSec are having to shout is because our Beloved Leaders are so absent from passing any kind of constraint or good conduct on suppliers. They let the suppliers get away with murder.

In other words, this is primarily not an InfoSec problem on its own, but it’s very much incumbent on “us” to carry on kvetching. Because that’s the ONLY way it seems like the “obvious” (from the article) penetrates the obtuse.

Before food standards were enforced, bakers used to add lead oxide to bread to make it look white. Chemists could have told everyone this was a spectacularly bad idea, but it takes legislation and the prospect of liability and jail time to focus commercial behavior to align with civic responsibility.

YPr January 9, 2018 4:13 PM

It is appropriate to shout down the whole enterprise as it exists right now. The issue with IoT is that is based on the same surveillance business model of most of the Internet except much more intrusive extension into the physical world. We are basically building our own 1984 style total surveillance state trusting that companies will do a good job of securing the data and good job of securing the products. The insanity of putting an array of directional microphones, video camera, and activities log into every bedroom, for what, an ability to have clap on / clap off functionality? Moreover, companies are not even enabling simple controls into products anymore forcing you to use their products. So no regulation, no liability to manufacturers, lowest bidder products. And because it is voluntary, no protection to disclosure to third parties or even government.

Jeff Hall January 9, 2018 4:17 PM

Just wait until someone gets seriously injured or worse – dies, all thanks to IoT security or lack thereof.

What will the vendors say? Sorry, but we couldn’t add security at the product’s pricepoint. How about there wasn’t enough time to get it secure and beat everyone else to market? All of those sounds terrible in the court of public opinion and even worse in a court of law.

Craig January 9, 2018 4:24 PM

IoT should be stopped until software and hardware vendors are legally held accountable for damages related to security problems in their products.

Marc Zorn January 9, 2018 4:29 PM

It is a very difficult task to inform people of security risks without sounding like a harbinger of doom, no matter how objectively they are presented. In my opinion, your presentation style has almost always been even-handed, objective, and enlightening. I have never sensed a hint of doom or gloom.

Caution toward the security risks of IoT is warranted. When we see people blithely adopting technology without ANY regard for the associated risk, it is often hard to exercise restraint.

It may be worth re-examining some of your writing from a new perspective for your own enlightenment, but please don’t soft-pedal the message because someone doesn’t like the tone.

Garbo January 9, 2018 4:54 PM

Where does he draw the distinction between “doom”


“a critically under-thought product line rushed to market naked and bloody, infecting passersby”

DROP TABLE Comments January 9, 2018 4:59 PM

The politics of America and the economics of IoT mean an IoT ecosystem isn’t possible without violating user privacy or the security of the greater Internet. Even though the mass adoption of insecure IoT surveillance devices is inevitable there’s nothing wrong with standing on the sidelines to point out to the world that it is doing a stupid thing.

Anon January 9, 2018 5:51 PM

What does Mr. Miessler think? That we should just accept that IoT is insecure? Does he own shares in companies that will be affected? Is he the Surveillance State?

IoT devices are usually frivolous devices, or literallyveven toys. These are things people are buying their kids and not thinking twice about it.

It’s absolutely right to be very critical.

Clipper January 9, 2018 5:59 PM

IoT failed when security was sacrificed. We have TV sets and electrical appliances with cameras and microphones and all kinds of sensors that have been proven to be tools for spying, I prefer a dumb TV and an even dumber refrigerator to any “modern” gadgetry that tries to do something I don’t want it to.

Getting wifi circuitry on everything is just a bad idea, refusing the consumer the choice to disable it is even worse.

Douglas Coulter January 9, 2018 6:23 PM

As is so often good advice – follow the money.

I’m an outlier and I know it, so what. I live off the grid almost entirely, just the phone/internet bill, for example. I left “the community” decades ago, did some time as a private product dev outfit, made my dough, retired young.

Homesteading is the oldest profession when you think about it – you have to stay alive long enough for that other “oldest” to be possible. As I age, this is harder and harder to do, so, as a semi-retired engineer/scientist/inventor – I create automation for homesteading tasks an a race with time to get this happening faster than I lose abilities due to my own aging.

My stuff predates the IoT by a bit.

None of it – zero – is directly on the net, port forwarded or otherwise, and if I like – and a project for that is underway – I can air-gap it entirely from the internet, not just have it behind a firewall and NAT as now. And this doesn’t even make it cost more – well, you need another access point for the air gap, but that can be the same machine (a raspberry pi3 at this point) that does all the other hub/database/plotting/control interface functions anyway – so, software is all you need, just NRE cost.

Why then do all these IoT things go out on the ‘net? The stated reason is so that you can do stuff from your cell phone (I don’t have one, I only need to do things at my house when I’m here anyway – which adds a safety check (Bruce’s defence in depth) – which is nearly always. If I didn’t like it here, I’d make it better. If I’m going to turn on the heat, I’d like to be here to see that no one stuffed a newspaper into it first. Or that the backup generator isn’t hydrolocked from a leaky float bowl. The corner cases when you automate powerful stuff are real and hard to anticipate completely.

Follow the money – you’re for sale, all the info about you that anyone can collect. And that’s only one way. How about what is a free web service now (funded by selling your info) – changes their mind and wants rent for IoT “As a Service”, one of the current trendy things for wishful CFOs? What if, maybe worse, instead of inadvertently putting someone in a position to charge you rent to make your own house work again – they just drop support altogether? I hear that’s happened to at least one smart thermostat outfit…

Much better to keep it in-house. If you really need to turn on the heat from miles away, you can port-forward yourself – your own web server doesn’t even take a raspi – an ESP8266 will do. Not a ton of bucks – or if you’re on limited solar electricity as I am – not a lot of that either.

I’m not selling anything here – and in fact I’m in the process or re-architecting my own stuff as I add more and more (including some neat automation for my fusion lab), but there’s plenty on my website if anyone cares to look for LAN of things.

I’ve got all kinds of cool weather collection (indoor and out) water system control/sensing, and general other stuff via leaves of ESP8266s, arduinos, ad raspies. While I started in this computer game before there were Z80s, I find these kinds of new, inexpensive for what you get dev boards with active communities to be the best to work with, and more of a guarantee that at least used ones will be available. I used to make my own PCBs right here at home. No more of that for me!

Everything I do is for free, open source – if you find anything you like up there and want to productize it – go for it! I’ll be very happy to see it done right by someone. I’m too busy having fun to turn this into money myself.

Anyone who belongs on this forum will easily figure out how to get in touch should they want to (It’s not super obvious, to keep the idiots out) – you’re invited.

D-503 January 9, 2018 7:20 PM

Miessler writes:
“These aren’t ideas, they’re inevitabilities.”
I’ve heard that self-fulfilling prophecy many times before – it’s the standard motto of every dictator and would-be dictator.
Yes, there’s a near-infinite number of examples of humans doing irrational, self-harming things. But that doesn’t mean that humans are incapable of making rational choices.
Individuals, organizations, and governments can make rational, responsible choices. They can reject fundamentally stupid ideas… If they choose to.
For example, only 14 years after it was discovered that large-scale production of CFCs was a bad idea, all nation-states around the world agreed to the Montreal Protocol, depite industry fighting tooth and nail against it. The Montreal Protocol has been successful in drastically cutting CFC use to negligible levels.

John Poffenbarger January 9, 2018 8:00 PM

Thanks for posting this Bruce. A fundamental requirement for true science lies in a willingness to respect and respond to criticism. Thank you for continuing to lead by example.

Mister Easy January 9, 2018 8:06 PM

@ John P

Excellent comment, could not agree more. Bruce taking the high road is par for him and underappreciated.

Mark January 9, 2018 8:55 PM

We’re the “boy who cried wolf” industry. Look at Meltdown and Spectre. Hardly interesting unless you’re a cloud or hosted services company. Complete over reaction from the media means I have to educate our management as to why the sky isn’t falling.

Garbo January 9, 2018 9:21 PM

Mark I get the impression you might have some unpatched vulnerabilities out of sheer spite.

Clive Robinson January 9, 2018 10:10 PM

@ Bruce,

I don’t think I’m the prophet of doom, and don’t want to come across that way.

Guess what Bruce, we all are to someone when we behave responsibly. Teenage kids want to do new things experiment as it were. Parents might be “Buzz kills” to such children but they would be irresponsible parents if they did not give warnings and apply restrictions.

I’m not as young as I used to be and like Doug above I’ve been designing electronics since before the Z80 was available let alone affordable. I now look back at some of the things I did and well I cringe to be quite honest. How I and some others did not end up being preped for autopsy I realy don’t know…

The US has a reputation for idiot ideas as business plans some despite common sense have become a success[1]. Why I have no idea but then that’s consumers for you… Unfortunatly they have a habit of encorraging other madmen with money. Other insane or idiot ideas thankfully bankrupt their product developers and we hear little more of the idea.

For instance one from history that I tell students. Bath tubs used to be made of cast iron then enameled. Likewise radiators for home heating. Which means bath water gets cold quite quickly. But if you look inside a boiler you see what are in effect small cast iron radiators with gas burners underneath. So yes some bright eyed bushy tailed inventer developed an idea for an under bath gas heater and patented it…

Ever heard of the Boiling the frog experiment? Well this one also had a couple of other disadvantages no flue ment a room full of carbon monoxide and as the burner is close to wooden floor boards houses could and did catch fire…

The patent offices of most countries are full of such madness, and we look back on them and say in our heads “What were they thinking…”

But we forget that 20/20 hindsight can make all of us look smart even complete idiots. Where as 20/20 foresight is a gift given to very few in the world.

Much IoT is as some hear know the 21st century equivalent of that under the bath boiler. It’s just that too few people have the foresight to see they are the equivalent of a frog boiling gas chamber come crematorium.

Because people with not even 20/20 forsight go “Hang on a moment chaps, this might be a problem” they get cast as the “Buzz kill” or the “Doom sayer”…

But I tell you what I’d rather be called that than “murderer”, “child killer”, or worse sit there in private guilt knowing that I should have thought about that aspect of safety.

But as I’ve said before in some languages they have but one word for both safety and security. That alone should make us pause to think about why we treat safety and security differently, and that perhaps when it comes to product design we should not.

For those not convinced we have on this blog passed comment about the idiocy of IoT door locks and how they could be easily be bypassed with a little “Internet fu”. Now think about how many people you have heard about being injured or killed by those gaining illegal entry to peoples homes? No it’s not as common as the press sometimes appear to make it be, I know. But if you had designed such a lock and a home invader had used it to commit a crime and it ended in a horrendous blood bath or worse, how are you going to feel on reading about it? On questioning by the authorities? On questioning by a lawyer representing the interests of the victims in court?

Was it realy too difficult to treat security with the same level of input as product safety, or in fact a lot lot better?

So my view Bruce, though you might not like it, is you are not “Buzz kill” enough, and doomsaying is in effect a civic duty when it can be clearly described and the risks seen.

Oh and watch out for the “salami slicing” or “cheese parring” arguments people with a “can do mentality” come up with.

Some of you might once have flown into the old Hong Kong airport. It was scarry because you flew not over buildings on approach but between skyscrapers. You might have thought “What idiot…” I know I did. The skyscrapers got there by the oldest trick in the book of “nothings happened yet so we can do it again” each year another taller closer building got built because so far no building had been hit… It’s the same daft argument as putting a can of petrol or other accelerant down beside a fire… Each time a little closer untill one bright sunny winters day “Boom”.

Bruce the world has more idiots and madmen than sane who are prepared to stand up to them. Don’t make the number of sane one less because an idiot or madman wants to put squirrels in you head to make you doubt yourself.

[1] Do you realy need what turns out to be a “lighter than air” bouncy castle for your young childs birthday party, where one gust of air could send little jo/joe up to the heavens above or beyond?

Rachel January 10, 2018 12:18 AM

Great, Mr Miessler knows. Good for him. He’s onto things more -interesting-.
Now, onto the remaining 3 billion odd potential users .
I don’t know why I think of chainsaws. But very very few people know how to handle them safely. There are good arguments for them not being available
to the consumer market. People slice themselves up every which way every day. No one would ever think it was possible! Why, it’s just a chainsaw!

keiner January 10, 2018 2:58 AM

“We should obviously try to minimize the risks, but we don’t do that by trying to shout down the entire enterprise.”

No, bad business models have to die. Definitely and immediately. Kill IOT. It’s total and utter nonsense.

JohnM January 10, 2018 3:28 AM

Thank you Bruce for demonstrating such a healthy and humble response. We live in an era of divisiveness and disrespect, which sadly we also see in the InfoSec realm. It is so nice see your response and makes me reflect on what I do to create a culture of respect and civility.

Carl January 10, 2018 4:36 AM

Agree, it’s hard to inform people of security risks without sounding like ‘tin foil hat wearers’, the collective herd (i.e., addicts) simply want to enjoy their pleasures and not labor at obtaining true happiness. A serious threat is upon us, the sheeple are at a precipice, only awaiting the exhilaration of the coming fall and its dopamine hit, absent the consequence of their decision. We’ve all been warned…DOOM a adequate descriptor.

Elliot Williams January 10, 2018 4:54 AM

There are only two things wrong with the current state of The Internet of Things:

1) The Internet. Exposing data to the big net when it’s primarily consumed locally magnifies the attack surface a bazillion-fold. Have we not learned the lesson of Shodan?

2) The Things. The “Things” aren’t things, but captive vectors for delivery of services. When the terms of service change for whatever business reasons, the things become trash.

I have no beef with either “The” or “of”.

Ollie Jones January 10, 2018 5:38 AM

Your critic Miessler has a point. These days a lot of people are joining the infosec parade hopping on the bandwagon hoping to make a few euro or bucks from the panic.

That kind of noise can drown out the band. And it can make people stop listening to the band.

The same thing happened in the Y2K panic a couple of decades ago. The seriousness of the problem was hyped, hyped, hyped. But the remediations succeeded and Y2K came and went without serious incident.

Where Miessler is wrong: You, Dr. Schneier, are the trumpet player in the band. You’ve been playing that trumpet a long time.

Clive Robinson January 10, 2018 6:29 AM

@ Bruce, ALL,

Having had a bit of a night to mull it over, I think Mr Miessler is playing a rather silly game.

Lets start with,

    I know it’s super cool to scream about how IoT is insecure

No it’s not, it’s wise and precautionary to alert people to the fact of what is going on. The fact that some faux technologists are going “wow” and “Super Cool” and “I just want XXX” frequently is a form of direct propaganda avoiding advertising rules.

Next we get the pretend to be giving fatherly advice, etc etc line,

    I absolutely respect Bruce Schneier a lot for what he’s contributed to InfoSec, which makes me that much more disappointed with this kind of position from him.

Whilst actually free loading off of your efforts and contributions.

We see the same trick again

    InfoSec is full of those people, and it’s beneath people like Bruce to add their voices to theirs.

For whatever reason Mr Miessler has taken a position and like a used car salesman that puts sawdust in the gear box he’s trying to sell readers something that is unwise to buy.

And here it is,

    Everyone paying attention already knows it’s going to be a soup sandwich—a carnival of horrors—a tragedy of mistakes and abuses of trust.

You note the “Everyone paying attention”, which is just wrong, we know from all sorts of mrasuers that very few to no consumers who buy IoT or Amazon Tech are paying attention. I could draw up a list but it would be an article in it’s own right.

So there we have the main point of Mr Miessler’s disagreament he does not like the reality of the situation and want’s people to keep pointing it out, he want’s the party to keep swinging despite the fact the punch is made with wood alcohol which realy will make you go blind, not just blind drunk.

He then tries to reinforce it with,

    It’s obvious. Not interesting. Not novel. Obvious. But obvious or not, all these things are still going to happen.

But do you notice the wallpapering of his backside with the claim of what is “pre-ordained” he high lighted it to make sure the wallpaper is thick.

So again we see the argument for the party to go on, rather ike it did on the Titanic. Hey don’t listen to those who are trying to save your life just get another drink in they are free as long as you dance on till you drown…

But he then pulls the real whizzer out from behind his back,

    When we brought electricity to millions of homes, houses burned down, and people died, but I’d argue it was worth it to have electricity in the home and business.

What a steaming great pile, that argument is so mindlessly stupid, the only way he can get away with it is because very few know the truth of it, even though you can look it up.

The electricity market was a ballon market with winner take all as the prize. There were so many different suppliers all with their own funny ways. Some were DC some were AC some had low voltage some had very high voltage. There might be three or more different suppliers in a large town. The safety features were a joke basically a couple of bare wires came into your home to a board nailed up in your roof space. Then in early systems bare wires ran down the walls to switches and the like made out of metal and fragile glass… The reason people died was incompatability of systems, no safety and naked greed of the industry making “market share” sound familier?

I will bring Mr Miessler’s argument into this century with something directly comparable,

    Airline security was so bad that all the people who dide due to 9/11 was a good thing. Because it gave us the DHS and TSA, so we could have fedral employees inspect our shoes. Thus the lucky few bagage checkers who did not get the sack got their wages doubled, the airlines nolonger had to pay for it thus got increased profit, and “all the President’s men” directly or indirectly got very wealthy off of the back of untested and non efficacious security products. Oh and we the citizen’s lost rights, so now it’s OK to be groped up by bullies and perverts and our lives made worse in so many ways, with bo right of redress.

Have a think about what Mr Miessler said and remember it and hold it to your heart every time you read his words from now on. He personaly thinks it’s OK for people to be hurt, killed or burnt to death, just so non liable corporations can get increadably rich off of you one way or another. Untill that is it gets so bad that regulations and standards to limit the harms get pushed through the legislative process…

Further that he thinks it’s wrong of people like Bruce trying to stop his idea from happening…

He goes on just to make sure you get his point,

    Fear-mongering about IoT is like looking at the first electricity coming to homes in the early 1900’s and warning everyone it’s a horrible idea because of the fire hazard.

Does he actually realise what he has written? Did he try reversing the order of his argument,

1, The technology has a high probability of causing you significant harm or even death.

2, We saw this in the 1900’s in an unregulated unstandardised free for all market.

3, Mr Miessler considers IoT to be just like the 1900 market.

4, Warning about it is “Fear-mongering” and thus people should not do it.

Does anyone else see the irony in his dismissing what he claims Bruce is doing?

Mr Miessler goes on to lie by ommission with,

    You’re honestly objecting to assigning trust, at digital level, to various people in your family, friends, various organizations, etc?

He omits to mention that you are given no choice but to trust the “various organizations”. But neglects to mention that history tells us not only will the quite deliberatly abuse that trust. But Mr Miessler neglects to mention that their security is so week that in effect they give no protection to the device they have sold you, or the data they have collected from you. Thus he’s trying a “sunny side up” argument that tells you ‘Don’t look behind the curtain it’s realy scary and it will take the fun out of non ownership of your IoT toys”…

Then we get a direct lie, an assumption and a refrence back to your harm is good,

    Technology is integrating into human life on planet Earth, and there’s not anything anyone can do to stop that. And once we get out of the woods it’s going to be a massive improvement. Just like electrification was.

There is plenty you can currently do to stop the IoT integration, not buying the junk for one, disabling it’s unneeded IoT functions another. If people do not engage with the hype then it will not happen. Then the assumption of “a massive improvment” do you remember people saying that about “remote controls”, they have been attributed to increasing the “couch potato” life style that is reducing peoples life spans does that sound like a good idea on a personal basis? Before you answer remember the average lifespan in the US has dropped yet again and couch potato morbidity diseases are still very much on the rise making not just the couch potatos but big pharma and health insurance fat, very fat, so much so they are a good pension investment[1].

As I said about his electrification idea, remember the benifits of 9/11 it’s a more modern example.

Now we get a real two face argument from Mr Miessler,

    We should obviously try to minimize the risks, but we don’t do that by trying to shout down the entire enterprise.

So Bruce very much is trying to minimise the risks (just as parents do with crossing roads). But admitting that would make Mr Miessler’s article pointless, hence he has to accuse him of trying to bring “down the entire enterprise”. Has anyone actually heard bruce say ‘We must never do IoT’, if they have I’ve missed it, all I’ve heard is requests for regulation and standardisation, which considering the potential harm that Mr Miessler recognises exists I think is a quite reasonable thing to do.

So onwards through what is becomming a malodorous cess pit of an article from Mr Mirssler. We get a lie about the obvious and thus two false accusations arising,

    To characterize Amazon’s progress in smart homes as, “They want to control our lives.” is both incredibly shortsighted and irresponsible.

Now for anyone who has looked at Amazon their whole ethos is to drag you in and hold you dependent on them in any which way possible. That by definition is controling behaviour we used to call it “customer lock in” when IBM and other big iron software companies did it, and it’s the model much of the close sorce industry wants to move to, one of “endless rent” coming in strong and steady. Thus the only thing you can accuse anybody saying “They want to control our lives” is “Stating the bleeding obvious”. However obvious as it might be to those in the industry it is less so to consumers, thus a person would be fully justified in saying it. It’s a bit like Google’s “Do no Evil” which people regularly call out. However Mr Miessler decides that accusations of “both incredibly shortsighted and irresponsible”. I would say Mr Miessler has mistaken his own behaviour for others more rational, logical and entirely reasonable behaviour.

I’ll let others decide on the other attributes Mr Miessler thinks he has 😉

Now we get to that bit Mr Miessler things Bruce should be doing,

    Yes folks—things are going to get nasty. The digitization of our lives through IoT will be a bumpy ride, and people will get hurt. We in InfoSec are on the front lines. We’re the technologists embracing this change first, as the inevitability that it is, and we’re doing our best to make the transition as safe as possible for you.

The first three sentences of that are what Bruce has pointed out for quite some time.

But lets look at the next bit… That fourth and fifth sentences with the “We” at the start, well that’s not realy true, most are not on the front lines, many in fact are on the other side of the lines feeding the enemy with IoT ammunition. As for embracing some are actively fighting it off like you would any parasitic entity which many behind IoT appear to be. Further it’s not an inevetability as I’ve already mentioned. But importantly Mr Miessler is most definatly not trying to make it “as safe as possible for you” with his article, infact the very opposit, he wants you to drink and drown in the faux sparkle and lies of IoT that he would rather see spread untill things get apocalyptic and legislators are forced to act.

But Mr Miessler can not let it go, he’s like a manky scavaging mut with a bone he’s determind to chew to the end. So we next get,

    Not dog-piling on every new technology/life integration like it’s the harbinger of death that must be stopped by InfoSec. It’s not our job to stop the inevitable from happening; it’s our job to make it more safe when it does.

Err no this is wrong on just about every point to see why start with “it’s our job to make it more safe when it does”… Thus Mr Miessler is arguing we should do at most nothing untill the disaster is upon us causing harm. I guess he’s not heard about the problems with “backwards compatability” and making a clean break, perhaps he should read up on what Intel have been doing for the past third of a century with the IAx86 internals and what that has led to just recently…

Working back we again find that faux implication of “inevitable”, I guess you have to start wondering what’s so important about it that Mr Miessler has to keep stating it. It’s kind of suspicious any one know?

But then we get back to the lies again. As I said as far as I can remember all Bruce has asked for is sensible behavioir not pointless greed that will cause active harms, and reculation to ensure that IoT minimises harms before it becomes any more harmfull, after all I think most people would agree that the biggest Distributed Denial of Service attack sofar in ICT history kind of counts as a harm in most technologists heads. Perhaps Mr Miessler does not think so and more of the same would be good very good. As I’ve said you have to start woundering about his motivations…

And so back to Mr Miessler’s false use of the electrification argument again,

    People complaining about fire hazards wouldn’t have stopped electrification, and people complaining about IoT isn’t going to stop that either.

People did complain from the outset that dangers were involved and measures needed to be put in place (they were aware of this from Victorian Boiler Explosions and subsequent legislation which was the first of it’s kind). But back then they had their own Mr Miessler’s running cover and distraction. Finally regulation and standardisation was achived at immense cost, which nearly killed the industry, it certainly did much harm and killed of sections of it. In other countries it became necessary to Nationalize the electricity business to keep it alive. None of which needed to happen. Likewise the fires and deaths if regulation for safety had been brought in at the begining, they would not have happened.

Contrary to what many claim regulation is not a market inhibitor, it actually makes it broader and fairer and actually increases consummer confidence thus grows a market more along the lines of what is needed not the grasp of a quick profit bubble followed by a downward tail spin “race to the bottom” which decimates the market and often harms beyond recovery.

In general “free market” proponents don’t actually understand markets, whilst those that pay them to spout it are the ones setting up monopolies and cartels and greatly profiting from the disinformation…

But still onwards we go with Mr Miessler’s article, and his plee of “People need us” because,

    They’re bewildered and scared. So let’s start preparing them for what’s coming instead of adding to their fear and uncertainty.

I realy do not want to prepare people for significant harm and even death like an inevitability, as Mr Miessler thinks is the way to go to some golden prommised future far away.

The future is almost never golden such is humanities lot, and IoT is not going to bring some universal utopia, if the history of computers is anything to go by a few will get very rich at others expence. For those ordinary people it will cause insecurity, and there will be considerable mental harms such as depressive and adictive disorders, thus lost productivity. Draconian efforts by Dictators and Democracies alike to turn it into a surveillance tool and in effect bring forward a Police State agenda to ensure their tenure by authoritarian behaviour. That’s what the history of computing has so far taught us, what do people think IoT will add to the list, unless regulated to prevent it?

Thus personaly I’d rather warn of the dangers we already know are happening, point out history and push for legislation to stop it getting as bad or worse.

That way if we get the regulation history teaches us we realy realy need to protect us not just from the Corporations but the State and criminals alike, then we don’t have to prepare people from significant harm or death of loved ones etc.

But Mr Miessler if he had actually studdied the history of industrial technology like the electrification of peoples homes he holds up as a shining example, would know that those harms can be avoided or atleast minimised by early and strong regulation.

Which again makes me wonder what’s in it for him to argue otherwise.

As to Mr Miessler’s final point,

    We’re better than this.

Yes we are better than what he is suggesting, much much better, the real question is why we are not as successful at it as we should be.

Maybe it’s because of the way Mr Miessler suggests we act. After all it’s how powerfull vested intetests have tried to always play the game untill their excesses brings in strong regulation. Regulation that at great expense provides a better fairer more transparent market, all of which the vested interests hate as it brings down their overly large profits, poor quality and disregard of any humanity.

But I guess Mr Miessler likes that for some reason.

Maybe his readers would care to make comnent on his site.

[1] Yes you can invest in the early death of a couch potato, you just take out life assurance on them. Companies are doing it currently and it’s said by some they see a 10% yield off of it in various ways…

mike acker January 10, 2018 6:37 AM

I think much of the trouble we have with electronics today originates from a combination of excessive capability and poor authentications for transactions.

this thought came to mind as there was a piece over NPR on voting machines and paper trails. if the electronics cannot be trusted, well, then yes: we will have to have a paper trail. just like the Old Days we will have to have the ability to manually audit our results. Mark-sense ballots.

Example Audit Process: 1% of precincts could be selected at random for manual recount and vote machine audit. if all is well the election could be certified but if the vote machines are not totaling properly then the entire election would have to be recounted manually — and the vote machine company would pay for it.

we may be seeing the start of a “Sea Change” with respect to vendors standing in back of their products: lots of patching. next: Liability for Damages caused by defects.

there are those who’ll argue that software cannot be completely debugged. I’m not sure that’s true. The Structure Programming folks argued for “all branch testing”. The idea here is simple: if you have time to write an instruction — you should take the time to verify that it operates as required. I’ve tried this my self and found it to be very helpful.

Dan H January 10, 2018 6:51 AM

Yes, IoT must be stopped. There isn’t any need for a thermostat or refrigerator to be connected to the Internet. Some people will say it is, but it is just convenience, not a necessity.

So the fridge can see you’re out of milk and order it for you, then have the local grocery store deliver it because of your smart lock, and place it in your fridge so it’s there when you get home. That is laziness, not something that benefits society.

This all leads to a surveillance society. Aldous Huxley’s “Brave New World,” George Orwell’s “1984,” Ray Bradbury’s “Fahrenheit 451” all ring true today, and truer with each passing day. Mildred’s television “family” then is Facebook and social media today.

Snake January 10, 2018 8:04 AM

Not only do I think IOT ought to be stopped, I think all work on AI should be paused while it is regulated to death.
There should also be some regulation as to the age a person can have a “phone”, and social media should be heavily regulated.

Evan January 10, 2018 8:15 AM

The only people jumping on a bandwagon to make a buck while ahead of the public good are the people selling IoT devices in the first place. Security is just one of the problems that IoT faces: there’s also obsolescence, vendor lock-in, and the now very real risk of the company going up and the devices lose all their “smartness” (or, in the cases of Juicero and Otto, become completely bricked).

We can ameliorate some of these flaws, provided device manufacturers take security and long-term usability perspectives into account. Suggesting improvements nicely hasn’t worked, so the only solutions left are government regulation or a shift in public demand, and the only way for either of those to happen is for enough people who understand the problems to make enough noise that people start listening.

david in toronto January 10, 2018 8:58 AM

Mr. Miessler has started an interesting debate.

I disagree wholeheartedly that it is obvious. It is only obvious to those in the know. If you are the average joe/jane in the street it is in no way obvious. The general public suffers from compound ignorance, they don’t know what they don’t know. If you tell them IoT can be hacked, you’ll get “so what?” They don’t know how that impacts everything else. They have no idea. And a lot of executives are average joes/janes in this regard.

That it is inevitable, is likely true. Stopping it is unlikely. However, stopping the worst of it, the really bad problems before it goes too far to recover from may be possible. Every voice helps mitigation come quicker.

Protesters often take the high road, the ideal, because it is necessary to do so. The ideal never emerges. However, often what emerges is better.

There is also the reality that there will be iterations on this and the debate.

echo January 10, 2018 9:00 AM


I believe Bruce is a capable and decent man. Your analysis of Miessler’s comments address his thinly disguised puffery very well. I suspected a few of his PR tricks but wasn’t able to adquately explain this nor did I have concrete examples like your very educational points. In some senses Missler is attempting to frame Bruce as a party pooper because Bruce won’t excuse inappropriate drunk behaviour at a party.

I believe Bruce is a man who knows his own mind and is perfectly capable of representing himself and I apologise if I am inadvertently putting words in his mouth.

asdf January 10, 2018 9:42 AM

Beating a dead horse shouldn’t be considered a bad thing regarding activism, raising consumer awareness, or pushing for policy change – in-fact it’s pretty necessary. Not everyone is as informed on this is as Daniel Miessler and those who hear about it only once (like probably those who saw the CNN article) are likely to forget about it over time.

parabarbarian January 10, 2018 9:53 AM

I blame Star Trek. A huge, Utopian, fictional starship with an omnipresent computer controlling everything was a fantastic advertisement for an IoT network. Brave New World and 1984 rolled into a nice bundle of circuits with a pleasant female voice. Put the bigots at Google in charge and you can toss This Perfect Day and maybe Logan’s Run into the recipe.

Of course, reality never quite matches the hype and consumers want what they want. I do not expect the government to do much beyond cosmetic rule changes since those consumers also vote and they outnumber the chicken littles by a large percentage.

So, keep up the good work, Bruce. You may not be able to divert the IoT from a future speculated wreck but, like a glass rod, its trajectory can be bent a little.

CallMeLateFor Supper January 10, 2018 10:06 AM

Amid the weeds at the bottom of the linked article, I see:
“Please enable JavaScript to view the comments powered by Disqus.”

ENable JavaScript?!! Disqus?!! Seems to me that Meissler is part of the problem.

Tim January 10, 2018 10:23 AM

There is one more thing that is not often mentioned. How much Radio Frequency Interference is generated by so many IoT transmitters? Will we reach a point where there will be so much interference that our devices stop working? Or will we find out that our bodies don’t deal well with constant exposure?

We need people to ask questions before we discover the next long lasting problem.Even if the questions are not popular.

Petre Peter January 10, 2018 10:30 AM

For me , Data and Goliath has been the first technology book that showed me the importance of privacy and taught me that i shouldn’t not be afraid to ask for a Privacy Policy from people asking me to fill out forms-a right i didn’t know i had until page 428. In Secrets and Lies, i learned the real meaning behind secrecy in security. Beyond Fear, gave me a view of fear, based on numbers rather than theater, and helped me understood why one is replacing the other. Schneier.com is the place where i can truly express myself.

Bob January 10, 2018 10:31 AM

We’re the technologists embracing this change first

Lol. No, Daniel. I’m going to let you be the low-hanging fruit.

Archon January 10, 2018 10:42 AM

Everyone paying attention already knows it’s going to be a soup sandwich — a carnival of horrors — a tragedy of mistakes and abuses of trust.

So… if he accidentally set his office wastebasket on fire he’d just stroll out without pulling the alarm – after all, for everyone paying attention it’s obvious his office is on fire.

Maybe a little doomsaying is acceptable when there’s doom to say?

CallMeLateForSupper January 10, 2018 11:36 AM

Piling on IOT is not equivalent to piling on rural electrification. Improper comparison, I think. Decrying the internet itself would be like decrying rural electrification, but that’s not what’s going on.

Piling on IOT is like piling on the many, early 20th century products that were electrified for no reason other than to increase their attractiveness to potential buyers (because electricity itself was novel). While some items – e.g. cream separators; clothes irons – were rendered more effective or convenient by electric power, there were many items – e.g. curling irons; bread toasters – that were rendered downright dangerous by unflagging, electric power. (Hmmm… maybe a thermostat or timer would be a good thing. Somebody should invent those.) Electrify everything first; think about safety later.

There was an infamous, third class of products, new, electrified products that did not serve any purpose other than to titillate shoppers and enrich the producer, “quack” products that promised cures for name-your-complaint but delivered nothing except the opportunity to die by electrocution. (I saw one of these in an antique store and was aghast at its blatantly dangerous design.)

In my opinion, IOT offers, for the most part, both useful, convenient but dangerous stuff and useless (or nearly so), dangerous stuff. Some of recognize the dangerous IOT stuff and attack it. Some of us recognize the useless or quack stuff and reserve our largest rocks for it. We are at the point where we know both that unfettered IOT can cause “fires” and no Best Practices are in place to mitigate the risk. IOT “timers and thermostats” won’t invent – nor mandate! – themselves.

Clive Robinson January 10, 2018 11:47 AM

@ Bob,

I’m stealing “couch potato morbidity diseases.”

My words but technically Bruce’s derived work copyright, so that’s a drink apeice please…

Seriously though if you ever get to meet our host by him a cup of tea atleast, it’s not an easy job running this sort of blog.

And if you use my words point back to here so Bruce gets another visitor or two who hopefully will join in, as each opinion and point of view counts.

echo January 10, 2018 12:10 PM

@ CallMeLateFor Supper

Following on from discussion of issues like Meltdown and Spectre, and issues like ad blocking and exploits via Javascript I have been experimenting with no-script. Using this has been an education in how much of the web requires Javascript for even basic functionality. My unscientific guesstimate is three quarters of my observable internet became dark matter. It was there and had influence but I couldn’t see it. I could only measure it’s impact indirectly.

I do wonder if IoT will suffer similar issues. By way of an analogy inner city parking is problematic. Authorities have tended to take the view of allow everything then claim banning none necessary traffic is unworkable so end up with a mess. Nobody considered whitelisting (such as permitting emergency services and delivery vans and disabled access and so forth) then setting a limit for remaining capacity. (Shared spaces for vehicles and pedestrians are a continuing source of policy and implementation subject to further study not to mention robo cars which are an emerging area.)

I wonder if IoT might be best considered via an escalating model of core mandatory functionality and interoperability and update patching? Everything else can be left to market forces but not required to access the declared ‘goods and services’ provided by the IoT device?

To some degree this model has been followed by the games and entertainment industry. As monopolies bloated API specifications and marketing coverage at the bottom new entrants emerged and the indy scene became more popular.

Clive Robinson January 10, 2018 2:39 PM


There is one more thing that is not often mentioned. How much Radio Frequency Interference is generated by so many IoT transmitters?

Yup not only is it “poluting” the airwaves, it’s also generating an increased heat polution and commensurately larger carbon footprint…

Just the way life works when you have to share a limited resource…

VinnyG January 10, 2018 2:45 PM

@echo re NoScript. Your next surprise might be how easily you can read and work around leaving JS off for most or all domains requested by a site. BTW, what is your browser? My understanding is that G. Maone had to substantially rework NS for FF Quantum (v57) to the point that it might be regarded as a competely different application with the same funcionality goals. I don’t and won’t have direct experience, based on what I’ve heard from some whose opinions I respect, I have no intention of ever going to that version.

Hold the Door January 10, 2018 3:48 PM

FWIW I am a prophet of doom and gloom. I think comparing IoT to electricity is bizarre. They are nothing alike. But I don’t want to belabor the point. More than a decade ago on this very blog I said that I could not imagine a future which is not dystopia. I feel the same way ten years later.

I do agree with one point. We can’t stop it. But the future won’t be like electricity, it will be like the Terminator.

Clive Robinson January 10, 2018 5:27 PM

@ keiner,

“morbidity diseases”? morbidity = diseases…

The mistake is actually not an unnecessary repeate (pleonasm) nor the absence of “of the”, no it’s a little more dull, as in a spell checker usage mistake.

But first Yes you are correct morbidity is derived from the Latin for disease, but it’s rarely used that way these days… That is it also means to take an (unhealthy) interest in death and the rate of a disease in a given area or population. It’s also got a couple of other meanings but to be honest I’m hard pushed to remember them.

Now the word I typed but did not get is “comorbidity” which is not in this phones spell checker though morbidity is.

And yes “comorbidity” does also mean a disease, but refers to a secondary –or more– disease. Thus obesity and it’s comorbidities of diabetes, heart failure, high blood preasure etc.

So yes once more I hang my head in shame :$

hmm January 10, 2018 5:33 PM

” it’s hard to inform people of security risks without sounding like ‘tin foil hat wearers’ ”

They called Galileo that – then they killed him!

They call everybody that – UNTIL EVERYBODY KNOWS IT.

echo January 10, 2018 5:35 PM

@ VinnyG. This is off topic. I currently use three browsers for different things due to compatibility and other reasons. (Chrome, Firefox, and Opera.) I may roll this and other security issues I am exploring into a squid comment.

Rachel January 11, 2018 12:45 AM


Thanks for the detailed rebuttal

Will you / all humanity be able to take solace in the fact
a) the author is reading these comments
b) you can’t unwrite an article from the collective memory
c) Will Bruce be blogging in 5 years
“Mr M, internet of things protaganist, was found in his kitchen castrated with a quarter-lobotomy having recently purchased a internet enabled can opener called ‘The Terminator’ ?

Just_some_person January 11, 2018 1:06 AM

The cat is out of the bag.

Your right to freedom of motion stops when your fist swings into my face. That’s about where we can get to.

Freedom of speech is protected. Freedom of belief (or thought) is as well.

IOT is freedom of speech and thought made manifest in silicon form. The young and ignorant do silly and dangerous things. We are all still early in this digital landscape.

IOT will be like bacteria and viruses; omni present in the body digital politic. We’ll end up employing biological analogs. Tcells, antibodies and histamine reactions.

One of the strongest tools in the new digital body will be the web of trust used for communication. It’s already here in a manual form with vpns, fitlering, and firewalls and such. Yes boot strapping a pki is hard(tm). To keep the noise out we’ll have to migrate from an open network to a invite only white list. At the very least a trust score tied to a cert. Then we can tell the machines to filter out trust scores less than X, just like we do with spam.

The IOT devices suddenly stop being so much of a problem. As a society with freedom of speech IOT will be able to say whatever it likes… it’s just that no one will be listening.

Clive Robinson January 11, 2018 2:29 AM

@ Rachel,

Mr M, internet of things protaganist, was found in his kitchen castrated with a quarter-lobotomy

Hmm I did not realise that Mr M was sufficiently spinless to get in such a contorted position where a simultaneous injury to brain and gonads could be performed by a can opener no matter how smart it’s IoT tech…

The actual point though is Mr Miessler for reasons unknown decided to be not just overly critical over what most would regard a miniscule difference of opinion, he tried to window dress it up into something major… But in a way that said more about his inabilities than those of who he was criticizing. Trust me if I can spot the failings in his argument, in almost every sentance he wrote, then I would expect many if not most of his readers can as well.

Thus he received a self inflicted injury from his target practice at his feet. Having not knowingly read other of Mr Miessler’s articles, I can not say if this is a momentary aberration on his behalf or his normal MO. But such that it is I find myself in the position of being disinclined to read further of his works to find out.

Look on it like eating an apple in the dark, your first bite is nauseous, are you going to chuck it out or turn it around and take another bite? There are after all many more apples in the barrel to chose from, if not other barrels to pick.

Clive Robinson January 11, 2018 4:04 AM

@ ALL,

It would appear Mr Miessler has an agenda…

A little search on the internet shows he makes lots of comments on his own site but few sites refrence his.

The most notable being,


He has his first short (just over a hundred pages) book out about “The Real Internet of Things” but it’s a touchy feely human outlook book judging by the blurb.

But guess what… If you go to his web site he appears to have put every last word of it up there chapter by chapter, over so many pages it’s difficult to count them all…

I wonder if his criticism of Bruce is a form of “Inverse Logrolling” to get attentiin for his book…

The 64,000 Dollar question though, is it worth reading to critique it?

Should I do it… I can hardly claim impartiality, so maybe somebody else should?

If you want to see what you are in for then a quick read of,


Might get you started (but don’t ask about “the shape of water” ;).

David January 11, 2018 4:13 AM

The IoT just makes collection easier. It punches more holes in your privacy, expands attack surfaces–it’s a nightmare from the security point of view.

Nothing like some “fine dining” at home, right?

Mr. Schneier is not going to be mistaken at all when he raises doubts about the security prospects of the IoT.

David January 11, 2018 4:29 AM

By the way, who in the world is Daniel Miessler?

Please tell me that he is not making money off of the IoT.

Utopia January 11, 2018 5:36 AM

David, take a look at LinkedIn and also the company he belongs to called IOActive.

You can find his other social profiles from his personal webpage including his Twitter, Facebook and Github.

Nick P January 11, 2018 12:06 PM

@ Bruce Schneier

He’s right about Amazon quote. They don’t want to control your life per se: they want to make money off everything you do in it by supplying you what you need. If anything, they’re set up to be a pervasive middleman. That’s what a lot of these companies are trying to do that. Some add spying to profile you better but the general goal is making money off you.

Now, let’s test him. He should be looking at the risks and rewards of using IoT devices as they’re being sold versus (a) non-Internet connected devices doing the same things and (b) IoT devices with basic security from the market or regulations that we push for. The botnets from these things alone have already generated the largest DDOS’s in history. They were so severe that a company with huge pipes plus DDOS mitigation stopped protecting Krebs’ blog. That means these devices’ presence on the net has already shifted protecting individual sites from a problem we could handle for free or cheap to a problem a company with huge resources doesn’t even want to handle. Not only that, the people on the receiving end are being damaged by the unnecessary tech others’ are deploying on the Internet. An externality for those using IoT that can do huge damage to others.

In addition, attackers used to ignore hardware for whatever reason. They’re not now: conferences regularly feature attacks on new classes of device with computers in them, wireless gear, and/or Internet connections. The manufacturers are consistently making devices without security. This means an increase in IoT devices used in safety-critical markets such as transportation and healthcare without an increase in security will lead effects ranging from major, economic loss to physical injury to third parties. In the home, driers and toasters some want connected are known, fire risks when an attacker isn’t in control of them. A sprinkler system in a building that gets hacked can damage its property (water) or kill its occupants (CO2). Outside IoT, such risks to safety did damage until regulations kicked in. There’s no reason to expect the private market will do any differently in IoT if they’re not responsible for the damage they cause. This goes double when you remember many players are the same companies that didn’t care before who are now offering riskier products.

So, there’s piles of evidence that he should be supporting your position in favor of concerned citizens avoiding a large swatch of IoT and/or supporting better security in it however we can get it. Instead, he focuses on the Amazon example followed by these:

  1. We can’t stop the inevitable from happening. Meaningless point that could support all kinds of crimes like drunk driving. He’d have you stop arguing against it to demand side or lawmakers because people will do it anyway. That’s never a good reason to support a behavior.
  2. People complaining about fire hazards didn’t stop electrification. The benefit provided by electrification changed society in a huge, obvious way that justified risk in market. Fire hazards were accidents that could easily be mitigated in majority of cases once each root cause was understood. The IoT phenomenon is often about stuff that doesn’t have to be open to the Internet or has low value with a malicious threat that will intelligently bypass protection measures. While safety engineers consistently beat back fire opportunities, new developments in IoT have consistently met with both same old and new attacks. These two topics have very opposite tradeoffs.
  3. People complaining about IoT isn’t going to stop it. Irrelevant with similar problems as No 1. Your criticisms are intended to inform specific groups of people with similar concerns so they can reduce their risk. That does happen to some degree as evidenced by your readers’ feedback. As a democracy, we’re also supposed to voice our opinions to voters, lawmakers, police, and courts to try to create legal measures on prevention and punishment side of things. Your testimony sometimes supports that, too. He’s created a strawman for your position that’s easier to knock down.

In summary, there’s a new trend with huge risks that are already doing damage. He probably saw you write a bunch of things about the topic. He ignores all your good points, counters one of your weakest, encourages damaging behavior because it’s popular, brings up a bad comparison to do the same, and misleads his readers about your position and goals to do the same. This man’s article is sophistry and libel that only serves the interests of IoT suppliers and a subset of their customers that accept being harmed without attempts to prevent that. I add that last part since IoT vendors’ marketing efforts often involve lying to their customers. We already have enough data to show nobody looking for accurate reporting for or against IoT should read anything this man writes. If anything, we should look for a conflict of interest making him shill IoT so hard. I’m not done since he makes another critical error: you should “shepherd” the IoT process.

For one, you can push any trend in the market you think is best. One woman who knew hackers were going after pacemakers, but who couldn’t get suppliers to secure one, just bought a non-connected one. This mitigated her problem without IoT risks. Your audience has lots of people who would do that. Second, you can’t be expected to “shepherd” what 3rd parties are doing if (a) they’re in control of their own actions, (b) don’t care about consumers’ security, (c) they make more profit the less secure consumers are, and (d) there’s currently no large punishment for profiting at customers’ expense. They can and will mislead, sell to, and damage customers with impunity until we get leverage in legal system. In a capitalist market, it’s not your responsibility to do anything when neither demand nor supply side cares. Your motivation is personal beliefs combined with a reputation made by giving good advice on INFOSEC consistent with them. If he and they are doing self-interest, then so should you: preserve your reputation as an independent, security expert that cares for a niche of informed buyers wanting less risk by not being an apologist for IoT vendors’ lining their pockets.

Epilogue: I try to look at who a person is after I judge them strictly by content. This guy is a security professional who did all of the above in an IoT essay. I’d say avoid consulting with him, too, since his other recommendations might be similarly poisoned with terrible logic that favors malicious suppliers.

hmm January 11, 2018 1:19 PM

IoActive, don’t they get paid for finding bugs as a business?

Of course he has no major issue with the IOT then. It’s bread and butter forever.


Bob January 11, 2018 1:32 PM

The guy offers grandiose rhetoric with no substance. He has no ideas, nothing of value to say. But, by God, he’s really good at stringing words together in a pseudo-inspirational manner.

Clive Robinson January 11, 2018 3:45 PM

@ Nick P,

This man’s article is sophistry and libel that only serves the interests of IoT suppliers and a subset of their customers that accept being harmed without attempts to prevent that.

If you look at Mr Miessler’s book index you will see he’s in effect acting an “IoT Evangelist”.

Thus it would appear that @Bruce is “breaking his rice bowl” hence the “sowing squirrels in your head” rhetoric.

Also the book it’s self the way it’s presented and the reaction all scream “Outsider wanting in” to me. Thus he’s picking a fight to get attention and boost his readership etc and thereby try to get what he considers increased credibility.

Most of us have seen the little guy in a bar get a skinful and get beligerent with a large guy who’s minding his own business. It goes by various names but plain and simple it’s a form of inadequacy complex. Well it’s a similar issue Mr Miessler appears to have…

Maybe we should feel sorry for the inadequacy he feels?

CallMeLateForSupper January 12, 2018 10:14 AM

Anyone paying attention to the latest CES (Consumer Electronics Show)? Tons of strictly-from-hunger brain farts. For a condensed list of some of the worst, check out https://twitter.com/internetofshit

I feel a strong urge to grasp some of the doofuses by the lapels and ask, gently, if they would let their sisters date an idiot such as themselves, or if they would sell their stuff to their own mothers.

Rachel January 13, 2018 7:04 AM


..inadequacy complex

I understood it as the Napoleonic Complex. Napoleon’s compensatory mechanism, for feelings of inferiority via a ‘vertically challenged’ physical form , was to enact an offensively caustic persona for all human relating

Christopher January 15, 2018 12:40 PM

Bruce, your Prophet-of-Doom (TM) score is 7/10.

When I read this at the end of your first essay in today’s newsletter:

“But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.”

, I remember myself actually saying something bad at virtual Bruce specifically because that comment (and more before it) was so disaster-focused.

And your writing has structure. It typically ends with “what can we do about it?”. The issue I believe is that it is also liberally sprinkled at times with “we can’t do anything about it.”

Your new book title (you called it “clickbait”) unfortunately follows this trend.

I believe this is my first comment post in many years of reading your newsletter. I remember my copy of “Secrets and Lies” had as many dog-eared pages as not. Even though I read your stuff, I try to avoid reading the news — specifically because it is so disaster focused. We have plenty of that around us. I would personally prefer if you could keep that aspect cleaner. Thank you for reading.

Hal O'Brien January 15, 2018 4:45 PM

I don’t see you as a prophet of doom and gloom. The quote from you I tell people most often is, “All security is a tradeoff.”

I think you do tell people – frequently – that they’re making tradeoffs they might not be aware of. I hear you saying, if the particular feature is worth that particular tradeoff, hey, have at. But don’t imagine it comes free, and be aware of what it might cost.

But that’s just one reader’s view, and one who’s known you a while, at that.

ER January 16, 2018 10:41 AM

I would give Bruce a Prophet of Doom score of 4 out of 10.

For one thing all Bruce does is communicates his concerns about how the technology can be abused.

No one is forcing any “bad ideas” down anyone else’s throats. His readership are mature grown-up people, fully capable of thinking for themselves. And thanks to his thoughts they can make more educated decisions.

If he would not communicate that stuff from his perspective, who would?

Some CEO of MakeYourWholeLifeCloudConnected, Inc maybe? No thanks.

If his writings affect the IoT-pundits bottom lines it is because customers are more knowledgeable as a result.

Marlon Bishop February 6, 2018 5:45 PM

The problem with criticisms of security of IoT is that its ultimately futile because there is no “Internet” of things, but many “intranets”. Given that FANG is too busy trying to own the IoT, combined with current FCC climate which appears to be hostile to things “free and open” (case in point Net Neutrality), there likely never will be an IoT as in the normal internet we can monetize and build wealth from. Let’s not poke holes in the cart before the horse.

Clive Robinson February 6, 2018 6:43 PM

@ Christopher,

I remember myself actually saying something bad at virtual Bruce specifically _because_ that comment (and more before it) was so disaster-focused.

The thing is that CPU faults will come home to roost now, and it will not be fun for either vendors or customers.

Intel took over Alteria for their FPGA know how, it might come as a shock to know that their highest end chips come in around 30,000,000,000 transistors which is above that of even Intel’s high end multi-core CPUs. The intention is to combine the devices. That is for servers and the like some algorithms will actually be in silicon and run alongside the more conventional multiple ALUs Floating point units, Graphics Co-Pros etc. Thus we are looking at over 50,000,000,000 transistor equivalents in something like 10nm gate sizes.

The odds of there not being errors even with large chunks being optimized cells for cache RAM and FPGA is vanishingly small.

Thus there will be error mitigation circuits built in not just to correct faults but also decrease the numbers of reject chips.

Whilst that will correct the lower level faults, there will be increasing numbers of faults of more esoteric nature as you work your way up the computing stack towards the ISA gap the other side of which the majority of programing languages are situated.

As Rowhammer demonstrated it is possible to “reach through” the various layers of the CPU down to the memory where the information about how the security of the system is set up (MMU page tables etc). As Meltdown and Spector demonstrated in their various types side channels leak information from memory around the security mechanisms in the CPU. We also know from times past that memory can also be got at from below in various ways.

Thus the current CPU design is not secure, and more attacks and time and other side channels most definitely exit and are just waiting to be exposed in one way or another.

I could go through this at length, but the reason behind this as I’ve been warning for years is “Efficiency-v-Security”. Put simply, in the general case any effort you put into making a process/system more efficient the more channels of attack you open up. The most obvious being time based side channels, but there are others lots of them. It is only in exceptional design cases where efficiency can be increased without opening up an exponentialy increasing number of attack vectors. However the way you do this is a very long way from center field of current CPU design.

So depressing as it might sound now people are starting to investigate these types of security problem the more attack vectors they are going to find, it’s the way the world works after all. Many of these attack vectors will be class type attacks that effect more than one CPU family architecture.

The thing is Gordon Moore is in part responsible. His “observation” –not law– is actually not about technology but market demand. That is the market expects the doubling of things like transistor count, clock speed, CPU cores or just power in short time intervals from a year to two or three at the most.

To meet those market expectations is increasingly difficult. The only way is by focusing on what are effectively tricks around bottle necks. Such tricks always have side effects, you can not avoid them. Thus the trick is dealing with them securely without loosing to much of the performance gain… Doing that is hard, realy hard compared to working out the bottle neck mitigating trick in the first place.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.