[conspire] Fwd: [VanLUG G] Increasing importance of security

Mon Sep 17 16:22:41 PDT 2018

Quoting Howard Susman (hsusman at scsurplus.com):

> This book review is of interest....

[https://www.cbc.ca/radio/spark/internet-plus-now-everything-can-be-hacked-1.4824151,
interview with Bruce Schneier about his new book _Click Here to Kill
Everybody_]

Bruce is excellent at explaining security issues to the general public.
A few points about this ~20 minute CBC Radio interview:

Book is about the increasing and ominous security problems posed by 
pervasive computing and the IoT.  Part of the reason for the concern
is that pervasive interconnectedness vastly expands the threat surface.
Also, attitudes (including regulatory ones) are still outdated, still
based on the old world where computing was 'just data' and could not 
directly harm the physical world.  We apply regulation to parts of life 
where people can be hurt or killed, but the computing tech space is
still very unregulated, even though basic security flaws in computing
tech _can_ now kill.

Computers are rapidly expanding into everything, starting with cars,
thermostats, medical devices, and refrigerators, with the expectation of
those devices being able to freely communicate with the Internet.  The 
result is that vulnerabilities in one thing now interact badly with
those in other things.  Making matters worse, manufacturers feel no
incentive to prioritise security in products:  People don't shop for it,
and wouldn't know how to do so even if they tried.  Thus, security is a
last priority.  This is no different from the history of other products
over the last century and a half:  Manufacturers didn't care about
safety until law, liability, and regulators forced them to.  Thus, 
old attitudes need to change to fit the different situation.

Alarming things that have already happened inclcude:

o  Only slightly contrived demo of _Wired_ author Andy Greenberg
   arranging for two remote computer attackers to take over and
   disable his 2014 Chrysler Jeep Cherokee5.[1]

o  Russian government Internet attackers shut down power plants in
   Ukraine on two separate occasions.

o  Ransomware attacks have already occurred against 'smart' thermostats.

Another part of the problem is a spook-agency-driven government attitude
that deliberately encouraging vulnerabilities including deliberate
back-doors in products and protocols is great because it helps us break
into the bad guys' devices.  Unfortunately, because we all use the same
systems, it means everyone suffers deliberate insecurity.  This 
will persist until there's a decision to invert priorities and put
defence before offence instead of vice-versa, a 'defence-dominant
strategy'.

And one more part of this problem is the surveillance capitalism that's
been dominant over the last decade, including but not limited to Google
and Facebook.  This needs to be curtailed, as it's a threat to everyone.

[1] For more information:
http://illmatics.com/Remote%20Car%20Hacking.pdf
https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/
https://www.youtube.com/watch?v=MK0SrxBC1xs 

The demo was slightly contrived because the researchers had arranged for
Andy to have a Sprint cellular burner phone operational in his car that
served as a relay to the Harmon-Kardon Uconnect head device for the
Jeep's entertainment system, which they took over.  This would not in
general be the case. 

If you know a bit about security aspects of system software, read in
particular the first link, Uconnect's baroquely overfeatured software
will scare the hell out of you, and demonstrate that all of their talk
about patching vulnerabilities is totally insufficient.  Note, for
example, that all cars running a Uconnect infotainment system are 
advertising to the Internet a D-BUS interprocess communications daemon
24x7 while running.