Broadening a thought: We'd be better off if we stopped talking about "the internet of things" and started talking about "computers don't always look like we expect them to".
Instead of saying "internet-enabled" it might be wise to say "regardless of what it looks like, that's a computer and you should treat it like one".
"Somebody hacked my fridge!" Yes, your fridge has a computer built into it and you should treat it like a computer (and demand that the manufacturer treat it like one).
@dredmorbius @noelle I remember attending a talk by Mark Weiser, "father of ubiquitous computing" (which, loosely speaking, is now the IoT + mobile) at Xerox PARC in, erm, well, a long time ago, back when I was doing systems admin there. He was enthusing about 'puters being "in the woodwork everywhere", and I asked who was going to do the systems admin - security and updates. I was frostily told this was a "non issue". Yeah, right.
@dredmorbius @noelle jeez, I could maybe narrow it down to a year, probably 1990. PARC was focusing heavily on ubicomp, with things like smart whiteboards (Liveboard) and Pads. I was there on secondment from EuroPARC in Cambridge (UK) representing the "research programmers" ("they think up clever shit, we make it work") and trying to figure out how to safely integrate this stuff into the main corporate network. I think it was a Blue Book talk.
Seems to me that *if it was done right*, security wouldn't have to have become an issue.
Like, require some kind of local *physical* intervention in order to control the device (just as a crude example).
Unfortunately, the people who make these things have very little "incentive" (that glorious capitalist concept without which nothing can happen) to prioritize security.
Hell, that's one of the things I've loved about Unix / Linux. Give me cron and ssh, and shit happens regardless of my co-location in /either/ time or space. *You don't have to be there for it.*
A co-location constraint pre-empts one hell of a lot of possible applications or interactions. And I don't think it's remotely reasonable to request those be abandoned.
@dredmorbius @woozle @noelle @dredmorbius @noelle oh for sure, plenty of folk (myself included!) screaming from the wings. But nobody involved in the initial research or, as far as I can tell, in the current implementation and deployment (certainly in the IoT) fully grasped the magnitude of the problem, of treating an Internet Thing (toaster, butt plug, whatever) as a "computer", which needs as much care and attention in keeping updated as any other computer, and the fallout from not doing so.
For a fridge? A toaster? A *butt-plug*?
Yes, if you want remote access, then you have to deal with security issues.
I'm just saying there are a lot of devices where this kinda doesn't make sense but is just the *easiest* way to let people control stuff from their smartphones.
That said, I suppose security considerations still apply even for things like Bluetooth.
It just clearly wasn't a priority at all -- and there are systemic reasons behind this.
@dredmorbius @noelle (I'm not dissing Mark, he was/is a genius and nice guy, I just watched this whole Internet of Shit grow from its genesis, with not one person involved ever really giving a serious thought to how to keep it secure. That was just some kind of implementation detail that we'd all work out somewhere down the road, and anyone mentioning it was viewed as kind of pissing in the pool)