[time-nuts] Nutty time-nuttery with WWVB

[Bill Hawkins]

There are some problems with the Internet of Things and security.
For example, look up the Mirai botnet and the DDoS attack on DNS
provider Dyn last month.

To understand the situation better, read Bruce Schneier's "Secrets and
Lies", available as a PDF.
The book was written in 2000 when things were simpler and easier to
understand, but it still applies.
The man has a sense of humor.

Schneier makes the point that it is difficult to test software
functionality but impossible to test for security.
Buffer overruns were a problem back when Morris wrote the first worm.
They are still a problem because software vendors can write legal
license agreements that say the vendor is not responsible for any
failures caused by the software. Basically, you bought it on an "as-is"
basis. So the software ships, bugs are discovered, and sometimes the
vendor fixes the bugs, especially if they are made public. Vendors don't
spend money doing things they don't have to do.

IoT devices are made as cheaply as possible. They are made user friendly
by not burdening the user with security configuration, so user names and
passwords have well-known defaults. The device has no anti-virus
application. The simple routers offer little protection, as they have
their own issues with default keys to their configuration.

Marketing departments have gotten very good at stampeding buyers for
things of little value. So good that companies that make the control
systems for the nation's manufacturing plants and utilities have
embraced the Industrial IoT. That should have been the Industrial
Distributed IoT (IDIoT). Previously, control systems had no connection
to the Internet, and so there was no need for Internet Security
concerns. Now there are many security services, so the IDIoT has created
jobs, as well as sales of routers. The air gap and the data diode have
been discredited since Stuxnet, which was spread by strewing the parking
lot with USB drives. 

Schneier emphasizes that the difficulty of providing security increases
with the complexity of the system. As you may have noticed, each new
revision of an operating system provides about a 4X increase of lines of
code (in the case of Windows). Security is always in a catch-up race
with the ability of criminals to find and exploit faults.

Please pardon this intrusion into the world of precision time, but the
issue was raised here. As a designer of industrial control systems, I've
made it a point to study security, and found Schneier to be a fount of
information.

Perhaps a disclaimer is in order. I do not know Schneier and receive
nothing from plugging his work.

Bill Hawkins