Announcing: Slashdot Deals - Explore geek apps, games, gadgets and more. (what is this?)

Thank you!

We are sorry to see you leave - Beta is different and we value the time you took to try it out. Before you decide to go, please take a look at some value-adds for Beta and learn more about it. Thank you for reading Slashdot, and for making the site better!

Cisco Offers $300,000 Prize For Internet of Things Security Apps

samzenpus posted about a year ago | from the pay-me dept.

Security 62

alphadogg writes "Cisco today kicked off a contest with $300,000 in prize money that challenges security experts around the world to put together ways to secure what's now called the 'Internet of Things,' the wide range of non-traditional computing devices used on the electric grid, in healthcare and many other industries. A Cisco SVP concluded his keynote at this week's RSA Conference by announcing what he called the 'Internet of Things Security Grand Challenge.' Christopher Young said the idea is 'a contest of experts around the world to submit blueprints' for how security issues created by the Internet of Things could be addressed. It's expected that up to six winning entries would be selected and the prize money awarded at the Internet of Things Forum in the fall."

Sorry! There are no comments related to the filter you selected.

I have the solution right here: (2, Interesting)

Anonymous Coward | about a year ago | (#46381167)

give up on the whole "internet of things" idea as it's a loser from the get-go.

You can donate my 300 large to the EFF.

Re:I have the solution right here: (2, Insightful)

pla (258480) | about a year ago | (#46381451)


I don't want my fridge online. I don't want my toaster online. I don't want my lights online. I don't want my toothbrush online. And dear Zeus but I sure as hell don't want my HVAC or oven or even my car online!

The "Internet of Things" doesn't even rate as a solution in need of a problem - More like a marketing gimmick in need of a thin excuse to get ever more personal data from us.

Dear Cisco - Go home, you've had too much to drink. Don't worry, your fridge says it has leftover mac&cheese for you to snack on.

Re:I have the solution right here: (1)

Anonymous Coward | about a year ago | (#46381521)

I sure don't want my home online, but as someone who supports IT at a school I can tell you that my cafeteria people want to be able to get alerts on temperature variations in their fridge. The building & grounds people want to be able to set light and heat schedules from a central location, and don't want two computers on their desk to do it.

Re:I have the solution right here: (1)

NapalmV (1934294) | about a year ago | (#46384307)

Getting alerts is one thing and controlling from a central location is a pretty much different beast.

You can implement the first as an electrically isolated box with a temperature sensor. It does not need to be connected in any other way to the fridge controls. The box can be connected to the internet and send e-mail alerts. An attacker breaking into the box could reprogram it to send false alerts or not send alerts at all. But he won't be able to take control over the fridge itself and reprogram the thermostat or shut it down.

The second (controlling lighting/HVAC from a central station) introduces a single point of failure exposed to internet so you'd better run it on its own dedicated network. Yes it costs money to run extra cables. But it also costs money to firewall it when connected to Internet, while the results cannot be guaranteed in any way.

Re:I have the solution right here: (2)

JaredOfEuropa (526365) | about a year ago | (#46381715)

There are plenty of good reasons to connect appliances to the Internet, or at least to a local home automation controller.
- HVAC? Hell yes. Having heating and AC automated and remotely controllable adds comfort (turning the heating on before we arrive home), convenience (no need to manage schedules, remote control from anywhere in the home), and saves money (by turning off heating automatically in unoccupied rooms).
- The toaster? Maybe not. I did connect a few other appliances like the fryer, which I don't want to remain on when we leave or go to bed.
- Locks... none in my home are connected, but I've heard from many owners of vacation rental properties that remotely operated locks can be a godsend.
- Washing machines & dryers? Not yet... but soon these devices will be able to negotiate with the grid to turn on at a time determined by the power company, in exchange for a lower rate. The water heater in my old flat already did that over 20 years ago (it had a nice clunky bakelite control box sitting next to it).

None of this is life-changing stuff, and much of the technology is still in its infancy (especially when it comes to security!), but the benefits already outweigh the risks by far.

Re:I have the solution right here: (2)

bjwest (14070) | about a year ago | (#46382409)

None of this crap needs to be directly connected to the internet with it's own IP address. None of it! Every house with internet access already has an address and all that's needed is a good router to route things where they need to go. Most homes with more than one device, be it multiple computers, DVD/Blu-Ray players, TV's, game systems or whatever, already use this system. My frigging refrigerator, whether it's intelligent or not, does not need it's own IP any more than each room in my house needs it's own street address.

We're trying to put too much crap on the internet directly. The only thing this is going to do is cause major security problems. Now, instead of one single point of entry to secure, we have to worry about each devise.

Re:I have the solution right here: (1)

plover (150551) | about a year ago | (#46382715)

The problem with this idea is that it still implies that you trust firewalls to keep your stuff safe. But firewalls have really proven only to be hurdles, not barriers - an unpatched browser, an infected web page, a bot client that can surf around behind your firewall, and suddenly your thermostat, washing machine, and refrigerator can be abused to send spam.

Another security problem is many of those home things are service based (for both good and bad reasons). But things that reach out across the network can be abused via their responses.

So to be secure, yes, you have to secure every damn device. Firewalls have demonstrated they help, but clearly aren't enough.

IPv6 means there will be enough addresses that you won't be needing NAT anymore, not that the things aren't already going on-line, or even that the things don't have to be behind firewalls. There is way too much utility to be had in devices that can use the network to save energy (smart grid control of energy hogging devices and learning thermostats), devices that can warn you of potential damage (freezers that let you know the door isn't closed, water leak sensors, etc), and devices that save you time (laundry machines that tell you when to take out the clothes.)

Re:I have the solution right here: (2)

K. S. Kyosuke (729550) | about a year ago | (#46382879)

None of this crap needs to be directly connected to the internet with it's own IP address.

The devices don't need to be accessible to everyone, but what's the harm in devices having addresses? Just because I know that Obama lives in the White House doesn't allow me to casually stroll into his bedroom.

and all that's needed is a good router to route things where they need to go

And guess what, that requires some kind of address that you can route to. Sounds familiar?

Now, instead of one single point of entry to secure, we have to worry about each devise.

Only because of crappy protocols and implementations, I assume, not as a matter of principle.

Re:I have the solution right here: (1)

chihowa (366380) | about a year ago | (#46390063)

None of this crap needs to be directly connected to the internet with it's own IP address.

This isn't where the problem is. A decent enough firewall can take care of the security as well as it would through NAT and your router. The biggest issue is that none of this crap needs to be connected to creepy Peeping Tom companies and their "analytics". I would love to check my house temperature from work or see what's in my fridge while I'm at the grocery store, but I don't need some creepy company cataloging everything I do for their own sociopathic purposes.

"The Internet of Things" has less and less to do with empowering people in their use of devices and more to do with spying on people by corporate creeps who are looking for a quick buck.

Re:I have the solution right here: (1)

plover (150551) | about a year ago | (#46404661)

Not necessarily. Sure, some devices, like the Nest thermostat, only work with a data-grubbing service. Others allow you direct control. Some offer remote control via a service because people can't figure out how to safely poke a hole in their firewall, but offer unsecured local control from within your network.

Fortunately, not every thing is sold as a service. You can still exert control with your wallet. Support good companies that don't require a service, and shun those that do.

Re: I have the solution right here: (0)

Anonymous Coward | about a year ago | (#46389673)

everything you mentioned already exist without the so called Internet of things.

I'll pick two from your list:

hvac, I can already set my temps for certain times and certain days. guess what no Internet.

washing machine, yea that's a good idea, lets just load up the laundry machine and "wait" for it to kick on not knowing when or even if you have clothes in it. I can already set mine on a timer to start when I want it to. no need for Internet.

these are made up problems and solutions. just like the above stated this is a marketing gimmic.

Re:I have the solution right here: (2)

K. S. Kyosuke (729550) | about a year ago | (#46382823)

The "Internet of Things" doesn't even rate as a solution in need of a problem

Hmph. Solutions in the shape of "everything should be/have X" seem to be frowned upon by many people (Smalltalk - everything should be an object!), but they seem to have proponents and detractors that without fault keep aligning themselves into two camps ("the unifying principle is more flexible!" vs. "I'm never going to need that"). On one hand, you may argue that you're never going to use that. On the other hand, if you had it, and you were installing a new alarm system, you wouldn't need to separately install wirings (and drill walls) to everything because there'd be a common control infrastructure already (for example, to control lights when you're away to confuse would-be burglars - the lights you don't want to control right now).

Re:I have the solution right here: (1)

NapalmV (1934294) | about a year ago | (#46382533)

Someone that haven't yet commented on a certain beta (and thus is still receiving mod points), please mod the parent up. The worst thing to do to security is to interconnect everything and, on top of it, have some "central" authority to manage all the stuff. Unfortunately this is the thinking of most CIOs today. While autonomous, distributed, locally managed subsystems have always proved to be more resilient to attacks.

Re:I have the solution right here: (1)

K. S. Kyosuke (729550) | about a year ago | (#46382775)

give up on the whole "internet of things" idea as it's a loser from the get-go

That depends. I actually sense an opportunity here. Since the IoT is going to involve small devices, one obvious option is to write your software along the lines of Oberon and you should be safe by virtue of using the minimum code possible - you're not expected to pack a web browser with it, are you? Then again, aside from these mundane issues, it all hinges on the security of the protocols involved, not just their implementations, and the protocols themselves appear to be less than optimal in many places. I have no idea what they're actually asking for, though.

the one answer they won't find acceptable (5, Insightful)

Anonymous Coward | about a year ago | (#46381215)

I want to keep my devices secure. This means: Let me control them. Don't require them to phone home, or to be connected beyond my local network if I don't want. If they need to talk to a server, let me run that server on my own locked down box in my own house. Let me replace the OS on the "thing", if I want, because I won't be able to trust yours, because you have every incentive to sell me down the river.

Unless I control what software is run, and what it talks to, then there can be no security for my "internet of things".

But you won't, will you? You didn't really want to know I can keep my "internet of things" secure. What you really wanted to know was: how to present a facade of broken security while data-mining me to hell.

Re:the one answer they won't find acceptable (0)

Anonymous Coward | about a year ago | (#46381309)

But then we wont be able to monetize anything. If we monetize everyone's stuff, everyone will eventually think it's our stuff and have to pay rent on it forever in order to use it.

Re:the one answer they won't find acceptable (1)

JaredOfEuropa (526365) | about a year ago | (#46381753)

A lot of people were none too pleased by the acquisition of Nest by Google. Companies like Nest who are in the business of making shiny thermostats and selling those to us, can be trusted to some degree having no interest in our data for anything other than quality control purposes. Even so, I would prefer to have a choice to not have the device phone home, or the option to run my own server in case I am worried about the level of security at that company... or in case the company gets bought by the likes of Google who are reknowned for raping our privacy six ways from Sunday for marketing purposes.

Re:the one answer they won't find acceptable (1)

mounthood (993037) | about a year ago | (#46382303)

I want to keep my devices secure. This means: Let me control them.

DRM / Remote Control are hard to defend, but *I* don't want to manage the milk carton chip which tells the refrigerator it's empty. I could manage it, being a technical person, but the majority of people don't even have that option.

So what are we going to do?

Don't require them to phone home, or to be connected beyond my local network if I don't want.

The milk carton will be restricted to talking to the refrigerator, but *I* don't want to manage a refrigerator. You want "things" to only talk locally and any external communication to go through a server you manage? That sounds reasonable at first, but it's not more secure: a milk carton with an encrypted/steno-graphed/timed communication is not something people can fight against. That milk carton is not going to be open or have an API, it'll be opaque hardware that's constantly changing. I can hear the corporate excuses already: "Some of the older cartons had an error that leaked info, but they'll be gone in two weeks."

Unless I control what software is run, and what it talks to, then there can be no security for my "internet of things".

Is there "no security" for you're Banks network? Security doesn't mean control.

The monetizers demand data (3, Interesting)

swb (14022) | about a year ago | (#46382307)

The whole drive behind IOT isn't convenience, it's monetization of information.

The marginal cost of a "smart" device is much more than the marginal return selling such a device on its own merits. Either you jack up the price of the device to cover the gee-whiz features or you don't, but the only reason they don't is because they have figured out how to sell this info to someone else.

The Nest is a great example. I think the last 7 day programmable thermostat I bought might have been $50; the Nest is $249 from their online store. What, exactly, does the Nest do that my Honeywell model not do for $200? It may be able to vaguely predict occupancy and make adjustments, but the "dumb" Honeywell model pretty much covers this -- we get up, we leave the house, we come home, we go to bed at about the same time. There's so few use cases where automagic adjustment would make any sense (and many where it wouldn't work).

A smart fridge is one where there's almost no use cases that don't involve product/marketing tie-ins -- selling my use of tagged products to marketers.

The only way you're going to get IOT is if you either pay the freight for the intelligence or let the device sell your info.

Re:The monetizers demand data (0)

Anonymous Coward | about a year ago | (#46382493)

The only way you're going to get IOT is if you either pay the freight for the intelligence or let the device sell your info

I'm afraid the IOT will be shoved down our throats whether we want it or not. In 20 years it will hardly be possible to buy a refrigerator that doesn't report on your grocery status to an advertising firm.

And people will lap it right up like good little consumers, just like they have done for a million apps that exist only to harvest their data, and just like they did with Facebook and others.

It's coming, for cars, refrigerators, every appliance you own, your TV.... It doesn't matter whether you want it.

Re:The monetizers demand data (1)

Tom (822) | about a year ago | (#46386029)

A smart fridge is one where there's almost no use cases that don't involve product/marketing tie-ins -- selling my use of tagged products to marketers.

Uh, actually that's one of the very few examples I can think of that does have a use. How often have you been in the supermarket and wondered "do I have any X at home or not?"

Re:The monetizers demand data (1)

swb (14022) | about a year ago | (#46386563)

And the shopping cart in the grocery store will happily announce you don't have any Megacorp Brand Product X at home. It won't tell you that you have a competitor's product at home.

Re:The monetizers demand data (1)

Tom (822) | about a year ago | (#46386793)

Bullshit paranoia reply. Sure, it could happen, but seriously, would you buy this crap? Now ignorant Joe may - but when he comes home from the shop with his Brand X in hand only to find that he does, in fact, have Brand Y in the fridge, he'll consider it broken.

One way or the other, this kind of blatant abuse is not going to happen. The marketing parasites are smarter than that. They'll datamine the hell out of you, and they'll manipulate you, but they won't be caught lying to you outright in a way that you can spot.

Re:The monetizers demand data (1)

coofercat (719737) | about a year ago | (#46386873)

Actually, I'd like a way to remotely control my heating, and so that dumb thermostat isn't going to cut it. I used to have a home-brew thermostat that I could control from the Internet - it meant I could turn the heating on as I landed at the airport so it was warm when I got home. I travelled a fair bit, so used this facility a fair bit. It's not too terrible to come home to a cold house and wait 1-2 hours for it to warm through, but why not use all this new technology to make things a bit nicer?

FWIW, I've got a wireless thermostat these days - it uses an insecure wireless protocol that I'm told is vaguely hackable. I figured if I get time, I could hack it to provide me with the same functionality but have more "wife acceptance factor".

However, as has been noted above, Cisco (and Nest, and countless others) aren't about making things better for you, they're about making it better for them. As a result, I'm not interested.

I'd like to see things get Internet connected, and have phone apps to control them. However, I'd like to see any intermediary servers on the Internet become simple pass-through conduits, with my phone and the device communicating securely without the intermediary being able to listen in. They'd know I was doing something, I guess, but wouldn't know what. Better yet, let me run my own conduit server. Trouble is, I'll never see this because none of the players in the market have any interest in doing what I want :-(

Hey, Clock Monkeys! (-1)

Anonymous Coward | about a year ago | (#46381219)

T-minus Seven Days and Counting.

Citizens Everywhere Will Damage Their Biological Timing for Society's Good; Will You Be One of Them? Jump, Boy, Jump!

Only one sure way (1)

petes_PoV (912422) | about a year ago | (#46381257)

Do not allow them to connect to anything. I know it sounds trivial, but sometimes the only remedy for "Doctor, when I do <this> it hurts" is to stop doing <this>

Variable Instruction Set (0)

AmbiLobe (2999721) | about a year ago | (#46381271)

This is a job for an invention using custom microprocessor instruction sets that are keyed. For a start, see my patents : http://popularcryptography.blo... [blogspot.com] This is a digital bunker, safer than using RISC or CISC. KISC will allow ownership as a Keyed Instruction Set Computer.

Throwing money at a problem? (0)

Anonymous Coward | about a year ago | (#46381289)

If Cisco is offering prize money to secure the internet-of-things, it means that they have no idea how to secure it themselves...

Cisco is looking for a few good genius morons (4, Insightful)

Zero__Kelvin (151819) | about a year ago | (#46381299)

What kind of combination of genius and moron do you have to be to solve a major security issue like this and then give it to Cisco in exchange for virtually nothing?

me. I have to write the paper anyway. (2)

raymorris (2726007) | about a year ago | (#46381509)

I may submit a paper. I have to spend a couple of months writing the paper anyway, for school. I see no reason that I wouldn't send the already-written paper to Cisco and see if they send me back $70,000 and the recognition from the conference.

Re: me. I have to write the paper anyway. (0)

Anonymous Coward | about a year ago | (#46381747)

Here is my reason. Cisco is big enough to hire good enough engineers to solve this "problem". The IOT is supposed to be the next big thing thus it makes no sense I simply give Cisco ideas. Sure, I want people to be safe, but, seriously, Cisco ain't non-profit.

Re:me. I have to write the paper anyway. (0)

Anonymous Coward | about a year ago | (#46382453)

Check who really owns that paper. Nearly every school anymore claims copyright over their students work from freshman to postgrad. You may end up paying your school far, far more than you bargained for.

Re:me. I have to write the paper anyway. (1)

Zero__Kelvin (151819) | about a year ago | (#46382579)

So you are planning on submitting the schools paper? What do you think is going to happen when Cisco pays you money for submitting a paper that wasn't yours to submit? I'm guessing the school, which owns the rights to your work, is not going to be very happy when they find out you submitted their paper to Cisco.

citation? 80% I checked didn't claim copyright (2)

raymorris (2726007) | about a year ago | (#46382671)

Thanks for mentioning that. I'll check my school's policy.

I just looked at the policies for five universities. Four of the five explicitly acknowledged that students own their work. The fifth had a "copyright assignment" form that I didn't read, so that school may have tried to get copyright assigned for student works, or it may be like Yale, where SOME works be employees, done as part of their employment, is owned by the university.

Re:citation? 80% I checked didn't claim copyright (0)

Zero__Kelvin (151819) | about a year ago | (#46382703)

So you are saying that you still haven't checked your schools policy?

I have not found any objectionable claim at my sch (1)

raymorris (2726007) | about a year ago | (#46382929)

For my school, I have not found any policy by which they attempt to claim copyright, or a copyright assignment form I would have signed.

I also have not found any document in which they explicitly acknowledge that under law, copyright belongs to the (student) author.

Re:me. I have to write the paper anyway. (0)

Anonymous Coward | about a year ago | (#46383761)

What are you smoking? Universities do not own student work--at most, if it's a thesis or dissertation, there are certain rules you must follow in order to have it count as such (which may include publication rules, but still does not transfer ownership of the copyright).

Copryighted works produced by staff employees (i.e, not faculty) of the university, in the scope of their employment, ARE owned by the university. Faculty works depend on university policy; some say professors own their own works, others depend on the type of academic appointment, and all of them generally require a license to the university of some sort.

So unless this dude is an employee in IT or computer-related departments for the university, it's his paper and he can submit whatever he wants unless there are rules about using said submissions while receiving academic credit. But even if there are such rules, he still owns the copyright and can make the decision without the school's input.

Re:me. I have to write the paper anyway. (0)

Zero__Kelvin (151819) | about a year ago | (#46383787)

Whatever I'm smoking, I managed to figure out how to create a Slashdot account and log in.

Wild Things (1)

daedlanth (1658569) | about a year ago | (#46381313)

Great, we are on the verge of finding out where all the Wild Things are! Right?

Scary (0)

Anonymous Coward | about a year ago | (#46381347)

This probably means Cisco does not have a really good plan or idea on how to secure IoT.

When you win the prize... (1)

istartedi (132515) | about a year ago | (#46381373)

When you win the prize, be sure to go downtown and flash the cash in front of everybody. When you get beat up and robbed, use your leftover money to post a prize for "flashing your cash around town without getting beat up and robbed". If anybody says you shouldn't do that, casually dismiss them. They are not part of "the club".

Re:When you win the prize... (1)

50000BTU_barbecue (588132) | about a year ago | (#46381419)

Your sig would be even more intensely painful with some apostrophe s thrown in.

Re:When you win the prize... (1)

marcroelofs (797176) | about a year ago | (#46382063)

And correct use of the phrase "for all intents and purposes"

Re:When you win the prize... (1)

marcroelofs (797176) | about a year ago | (#46382069)

I just saw you already covered that :-)

Powerline networking firewall (1)

Anonymous Coward | about a year ago | (#46381431)

I've always been suspicious of new appliances having powerline networking chips built-in to communicate with smart meters, or possibly beyond that. I'd really like to be able to install something on the lines leaving my breaker panel that acts like a firewall and blocks any kind of network communication over powerline.

Re:Powerline networking firewall (1)

hax4bux (209237) | about a year ago | (#46381741)

Isolation transformers have existed as long as there has been TEMPEST.

Re:Powerline networking firewall (1)

Ungrounded Lightning (62228) | about a year ago | (#46385949)

I'd really like to be able to install something on the lines leaving my breaker panel that acts like a firewall and blocks any kind of network communication over powerline.

1. Get some electrical-noise suppression ferrite toroids and some ceramic capacitors at your local electronics store. (.005 microfarad at a minimum of 600V would be good for the caps. 1000V or higher on cap used for 240V circuits.)

2. In your fusebox connect a cap from each breaker's hot output to the nearest ground bus, keeping the wires as short as possible. (You want them downstream of the breaker so they blow the breaker, rather than start a fire, in the very unlikely chance that one fails shorted.) On 220v loads hook the cap between the two hot wires (red and black in the US).

The cap wires are too small to carry the current in case of a short, so get some tiny 1A pigtail fuses and wire them in series on the hot side (either side in the 240V both-are-hot case). Put plastic insulation rated at least 600V over (at least) the hot side wires and the fuse. (You can get such insulation, of adequate voltage and temperature ratings, by stripping the insulation from a spare piece of electrical wiring.)

3. In your fusebox disconnect the circuits, one by one, both hot and neutral. On each run the hot and neutral lines through a ferrite toroid core in opposite directions and reconnect the . For a 220V circuit run the two hot lines through the ferrite core, again in opposite directions, and ignore the Neutral. If you have multiple loads on a breaker, you can use separate toroids on each load or a single one on from two to all of them: Run the hot wires all one way through the toroid and the neutral (or red-hot on 240V) the other way.

This puts inductance in series with the signal and capacitance shunting it, forming a low pass filter. The low-frequency power will get through just fine and the high frequency networking signals will get stopped.

Putting cores on the main feeds also works, and takes fewer cores. You can also put one on each of the hot wires, separately, rather than using one with the wires crossed through it. You can get big ones that are split, intended to be clamped over a computer signal cable to prevent it from acting like an antenna, which you can clamp onto the wires without unhooking them.

Don't bother putting the two haves of the circuit through the core in the SAME direction, as you would with the signals in a cable or power cord if you clamped a core around the whole thing. This keeps the common-mode (both wires go positive or negative together) from propagating past the core, but the differential mode (one goes positive while the other goes negative), which is what power line networking uses, goes right through.

Note that putting this stuff in your fusebox may be against code, and void your fire insurance. The capacitor wiring may also be problematic for creating hazards if not done properly (insulated with "spaghetti tubing" on at least the hot side, hot side cut short, a little fuse (1A or so) in series, etc.).

The "problem" has already been solved. (0)

Anonymous Coward | about a year ago | (#46381807)

Its called IPv6 and uses the already existing security layers.

Winner! (0)

Anonymous Coward | about a year ago | (#46381831)

Turn it off.

IOT Security NOT (2)

jraff2 (2828801) | about a year ago | (#46381917)

Most devices that one would connect to the Internet of Things - IOT are mundane data, not peeps into ones life.
Temperature, humidity, wind, sun, rain, etc. None of these need security, so why bother?
Only the things that indicate some personal action, absence, presents like open/close door, walk down hall, would one want to be secret, use HTTPS.
Since most of the reporting will be mundane statistics the security is NOT needed, just us HTTP.

Re:IOT Security NOT (1)

Zero__Kelvin (151819) | about a year ago | (#46382117)

You may not care if you wake up in the middle of the night freezing only to find out that you have no hot water because your pipes are frozen, but I personally do care if my temperature controlled environment is being controlled by someone with nefarious intent.

Humidity (0)

Anonymous Coward | about a year ago | (#46383177)

Humidity levels can cause warranties to discharge and drop the value of your property.

Do we trust Cisco? (0)

Anonymous Coward | about a year ago | (#46382187)

Cisco hasn't been able to secure _any_, not one single product of all of their product lines, and you think we want them to be at the center of the movement of "securing" that which would potentially have access to my entire house? No thanks.

How will they support 20+ year old IoT devices??? (1)

BUL2294 (1081735) | about a year ago | (#46382375)

Let's see... I'm going to trust that an appliance vendor, some of whom have yet to add an OS (Linux, Android, etc.) to their devices, will properly create the security for said IoT device? Cisco is clearly looking to become such a vendor, and I don't think they're prepared to deal with the consequences & unbelievably protracted support schedules--way longer than Microsoft's ~10 year lifecycle for Windows and Office. Ultimately, will my IoT fridge that I buy today continue to work properly 20+ years down the line or will it be pwned long before then? (I suspect the latter...)

The reality is that a company with no such device experience (e.g. Amana, Kenmore, etc.) may contract out the security portion of the firmware to Cisco, but will Cisco continue to support the device's security for decades to come? In reality, people don't replace their home appliances, HVAC systems, and security systems all that often... I doubt Cisco is putting out many security patches for their devices from 1994, or if anyone even has the experience (let alone the desire) to create patches today for Linux 1.1.x security holes...

Re:How will they support 20+ year old IoT devices? (1)

petes_PoV (912422) | about a year ago | (#46382907)

Support? Why would they care?

We know from the pattern of "upgrades" that smart TVs get (i.e. none, or maybe one if there's a major bug) that once a manufacturer has your money any relationship has ended. We should expect no less from smart devices. They will work with whatever software/firmware they were released with and when that dies, gets corrupted, becomes obsolete or a hard-wired IP address disappears, you will basically have a brick. Or, if you're lucky. a brick that still has some manually selectable functions.

If smart devices *do* get all the security bells and whistles that appear to be de-rigeur, then it's unlikely they will even be hackable or user-upgradable when ther short, short lives come to their inevitable end.

SOOO simple (2)

slashmydots (2189826) | about a year ago | (#46383843)

This is really simple. If you have a smartfridge, don't install Android or Windows on it. Make it a device that would barely qualify as an ASIC that only does what it does. When was the last time someone said their handheld calculator got hacked? If all you need to do is list an inventory of things in your fridge and set temperatures of drawers, make an electronic device that does that and only that. DO NOT just use a pre-existing platform because it's easier. It's a guaranteed way to get hacked.

Re:SOOO simple (2)

tapspace (2368622) | about a year ago | (#46384725)

Embedded and security are my things. I do automotive, so I am used to an industry that will happily incur half a million dollars of engineering cost to save ten cents in per part cost. The thing is, an ASIC is expensive. A microcontroller is cheap. Unfortunately, an ASIC does, by definition one thing and a micro does everything. If you get "root" on the micro, you can run whatever software you want. The people that make these decisions mostly care about per part cost, regardless of security implications. So, restricting it to an ASIC is a really clean engineering solution that your boss will (possibly, rightly) shoot down. And, he's probably under pressure to put this thing (fridge) on the internet. EVERYBODY'S DOING IT! And the customer doesn't give two shits about security principles. It's a real mess we've got cooking...

Re:SOOO simple (0)

Anonymous Coward | about a year ago | (#46385721)

If you get "root" on the micro, you can run whatever software you want.

You can't get root on a micro, at least not one that has a Harvard ROM architecture. The program lives in a different address space which the program can't write to, you might be able to figure out how to cause a micro to do something the designers didn't intend, but with the exception of some incredibly unlikely ROP exploit, it's impossible to get a micro to execute arbitrary code.

Also you missed the GPs point, that there is a huge solution space between high-cost-low-volume ASICs and high-cost-high-volume Linux/Windows SoCs. Pretty much everything in between is both cheaper, has a better security profile, and more suitable for an IoT than putting a Unix-like OS (Windows is Unix-like) in a device.

An Internet of Everything - NZCI000201690 (1)

Jimekai (938123) | about a year ago | (#46385035)

The particular Cisco forum gives an error notice, so I don't take them too seriously. I told them I intend to make an entry, not for a single thing, but for everything. I cobbled together a submission using paragraphs from my missives. With a hundred day effort I could launch a full proposal for Ingrid. If it would be better then, that I relocate back to Canada, I'm prepared to go. This interim challenge involves Artificial Economic Modelling not built on Capitalism but on a completely different mode altogether, one that involves AI security built into the core of every device. Belief regulated competition is the best way to develop AI. Not one of the fourteen constructs defining Antisemitism have been violated, however conflicts of interest must exclude any NWO supporters from developing this proposal. While in an actual mode of being or system such as Capitalism, our current one being paralleled by the study of Electrical Engineering's use of current electricity, when one is contemplating a new theoretical economic mode, competitions will not try to define money. Within such constraints, monetary reform is useless. However an inverse of current electricity exists as static electricity. This has a bad reputation, just like anarchists do, but harnessed into a workable economic model, paralleled by a Free World AI, Capitalism now has a competitor. During the competition phase, LIKE FERRARI v McLaren, emulated quantum pathways will be used to form agreements. Bitcoin-like conceptual single-payer blockchains will connect reasons for every use, eventually substituting all hierarchical power with a totality of information and the Will To Virtuality. This Cisco award should help complete enough of a proposal to secure a full sponsorship for the first $2.5m rebuild of the mature Ingrid Thought Processor, eventually to go into everything. Among all user groups, where there is about the same participation as Ice Hockey, are needed 9,000 clubs of 36000 members or so. In other words 1000 hardcore user groups each providing 36 programmers. Total funding would be around $2.5b putting it on par with Formula 1 racing. By a stroke of luck I have attracted a stalker. Because this stalker is resetting my router, this is making my 24/7 dynamic website disappear. I thought long and hard about how I can use this as a Dead Man's switch. I made a mental note to finish my Host Migration algorithm so it splits the 6 man cell monitoring my playlist station and migrates to a new host location, thus instantly creating a new fully functioning cell whenever I go offline. The reserve 3 cell mast must then promote from within enough free Live Clients, to support a new cadre of frozen clones which can be called on to thaw out and become active. Therefore the more I'm attacked the quicker it grows. This is all planned to go out to an expected free audience of 600 million AI clients with 12 million frozen clones feeding the transitional earnings through 600,000 professional members. Coordination is done by 50,000 low powered cognitive radio stations, complemented by six thousand broadcast servers, six for each 36man Language Team.

Re:An Internet of Everything - NZCI000201690 (0)

Anonymous Coward | about a year ago | (#46386649)

really asshole? really? you don't have anything better to do?

Re:An Internet of Everything - NZCI000201690 (0)

Anonymous Coward | about a year ago | (#46390057)

first the jew ridicules

as all security contests... (1)

Tom (822) | about a year ago | (#46386025)

...this is a publicity stunt. 300k is the total price money, the highest an individual entry can win is 75k. Sorry, but the real experts expect amounts like that as payment, not as maybe-couldbe-whoknows price money.

So you'll have participants largely being the B class who need the exposure and publicity. That's fine. Maybe not for a general concept, though.

More importantly: What's so different about the "Internet of Things"? That's just the latest buzzword. It's still network-connected devices. Sure, they're basically embedded devices so you have to use tools with low resource demands, but it's not like we invented a completely new computing system. Strip the buzzword and what you're really left with is small computers built into stuff around the house.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?