Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Do Embedded Systems Need a Time To Die?

Soulskill posted about 3 months ago | from the upgrade-or-perish dept.

Security 187

chicksdaddy writes: "Dan Geer, the CISO of In-Q-Tel, has proposed giving embedded devices such as industrial control and SCADA systems a scheduled end-of-life in order to manage a future in which hundreds of billions of them will populate every corner of our personal, professional and lived environments. Individually, these devices may not be particularly valuable. But, together, IoT systems are tremendously powerful and capable of causing tremendous social disruption. 'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?' he wondered. Geer noted the appearance of malware like TheMoon, which spreads between vulnerable home routers, as one example of how a population of vulnerable, unpatchable embedded devices might be cobbled into a force of mass disruption. Geer proposes a novel solution: embedded systems that do not have a means of being (securely) managed and updated remotely should be configured with some kind of 'end of life,' past which they will cease to operate. Allowing embedded systems to 'die' will remove a population of remote and insecure devices from the Internet ecosystem and prevent those devices from falling into the hands of cyber criminals or other malicious actors, Geer argued."

cancel ×

187 comments

Sorry! There are no comments related to the filter you selected.

Or you could just you know... (3, Insightful)

Narcocide (102829) | about 3 months ago | (#46997437)

... change the password to something other than the default.

Re:Or you could just you know... (1)

Anonymous Coward | about 3 months ago | (#46997571)

The issue is when there are exploitable bugs found and the device cannot/won't be updated.

An example would be the heartbleed bug which could be present on routers. If the model is EOL or the manufacturer is out of business then a firmware update is unlikely, and even if one is made available most people simply don't bother with them unless something isn't working.

I hate the idea of encouraging planned obsolescence, but I can see where he's coming from.

Re:Or you could just you know... (0)

Anonymous Coward | about 3 months ago | (#46998767)

The problem is that a lot of these embedded devices are faulty by design.

The company wants you to upgrade to newer kit, not upgrade the software. You see this a lot with internet routers. The internet has not changed significantly since the 80's, and with the exception of ipv6 (which no consumer ISP is supporting, not even comcast who was running trials) so there was no logical reason to replace any internet hardware unless the physical pipe changed. 10Mbit to 100mbit, to 1gbit. Even then that old hardware often gets reused until there is a power bottleneck.

Ever buy a stand-alone unmanaged ethernet switch? Can't upgrade it. Do I need to? Nope. The only difference between a router and a unmanaged switch is that the router acts as a security device, thus it's weak. Back in the days of dialup, everyone had a "real" IP address and thus people were being hacked all the damn time.

So on one side of time and law, people were not protected at all when they were using the internet, and if you wanted to knock someone offline, or an entire ISP offline, you simply needed a larger pipe. Today this has turned into the assholes on 4chan loading up LOIC and targeting their least favorite minecraft server, or something else stupid like the Turkish government.

Re:Or you could just you know... (1)

Anonymous Coward | about 3 months ago | (#46997573)

Having just recently had my E2500 get infected by theMoon, default passwords are not always the problem. TheMoon gains access because some linksys routers don't check or ask for credentials in some cases allowing attackers to do whatever they like.

Re:Or you could just you know... (-1, Troll)

loufoque (1400831) | about 3 months ago | (#46997713)

Why weren't you running Openwrt?

Re:Or you could just you know... (2)

GTRacer (234395) | about 3 months ago | (#46998351)

Why weren't you running Openwrt?

Because not everyone can be arsed to buy a commercial product to fill a specific need, choosing one designed for that need, and then removing core software or hardware in order to make it "open". Some people like to buy things without having to re-engineer them when they get home.

Don't get me wrong. I rooted both my cellphones shortly after purchase, and I have a Linksys home router running custom firmware. I mod things for performance reasons or because it's interesting or enlightening. But not everyone can or should do so. In an ideal world*, the routers would have sane security by default.

I'll take off my rose-tinted specs now and go back to yelling at the kids on my lawn.

Re:Or you could just you know... (1)

jeffmeden (135043) | about 3 months ago | (#46998415)

Why weren't you running Openwrt?

Because not everyone can be arsed to buy a commercial product to fill a specific need, choosing one designed for that need, and then removing core software or hardware in order to make it "open". Some people like to buy things without having to re-engineer them when they get home.

Don't get me wrong. I rooted both my cellphones shortly after purchase, and I have a Linksys home router running custom firmware. I mod things for performance reasons or because it's interesting or enlightening. But not everyone can or should do so. In an ideal world*, the routers would have sane security by default.

I'll take off my rose-tinted specs now and go back to yelling at the kids on my lawn.

OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network. If not, just plan on replacing your firewall/router every year or so to counter the threat of unpatched bugs. To each their own.

Re:Or you could just you know... (1)

DutchUncle (826473) | about 3 months ago | (#46998579)

OpenWRT is so fucking easy to install and configure (easier than some consumer out-of-the-box experiences, even) that there really is no excuse if you expect a secure local network.

No. It's not. To you, or the typical computer tech-savvy /. reader, maybe; but we're not average consumers. My father-in-law is well above average in that he bought a Linksys router rather than depend on the FIOS installed default, and he actually changed the password, but he's not going to reflash it any more than I'm going to rebore my car engine's cylinders with a hand drill. And the various older neighbors who I assist with network stuff, who think the Internet is broken if a web site changes its format, would have no clue whatever.

The REAL question we should all be asking is, If OpenWRT can be so much better, then why is the commercial stuff *not* better?

Re:Or you could just you know... (2)

gbjbaanb (229885) | about 3 months ago | (#46997683)

or not have a single default password, each device could have a random one set as default (like how each has a unique MAC address for example) that's printed on the back.

Oh, and maybe we could make control software that is designed to automatically update remotely.

Or... radically, we could just not put a network port on them.

Re:Or you could just you know... (0)

Anonymous Coward | about 3 months ago | (#46998121)

Oh, and maybe we could make control software that is designed to automatically update remotely.

Which assumes there's still someone around releasing updates

Re:Or you could just you know... (1)

3247 (161794) | about 3 months ago | (#46998249)

Which assumes there's still someone around releasing updates

What about an EOL date that's calculated from the date of the last update?

No update for 12 months = EOL.

Re:Or you could just you know... (2)

jeffmeden (135043) | about 3 months ago | (#46998435)

Which assumes there's still someone around releasing updates

What about an EOL date that's calculated from the date of the last update?

No update for 12 months = EOL.

In an enterprise that sort of management would be fine, but I for one would be pissed to hell if I came home one day and my smart TV refused to turn on because it had gone 12 months with no updates. Like most things, the expectations of performance and security differ in every application, so no single rule will ever solve this.

Re:Or you could just you know... (1)

Mr D from 63 (3395377) | about 3 months ago | (#46998277)

How about this innovative approach....keep improving products and let the customers decide which risks they are willing to accept or need to remove.

Dan Geer, the CISO of In-Q-Tel, (5, Informative)

wiredog (43288) | about 3 months ago | (#46997443)

In-Q-Tel [iqt.org]

The IQT Mission

We identify, adapt, and deliver innovative technology solutions to support the missions of the Central Intelligence Agency and broader U.S. Intelligence Community.

Re:Dan Geer, the CISO of In-Q-Tel, (1)

Anonymous Coward | about 3 months ago | (#46997587)

Hmm, so he sells hardware and he is in the business of providing info to an organization which remotely hacks hardware.. and thinks we should force end-of-life on hardware and force everything to be remotely accessible.. I see no problems here.

Re:Dan Geer, the CISO of In-Q-Tel, (2)

cusco (717999) | about 3 months ago | (#46998581)

OK, this makes more sense. Only true morons of that caliber could imagine that ripping and replacing the control system for a power dam, the guts of a multimillion dollar CNC mill, or the access control system for an entire enterprise every few years was a good thing. Know how long it takes to update the embedded firmware on a reader board over RS-485? Fifteen to forty five minutes. Each door. I've worked in enterprises with as many as 21000 reader panels.

Not just "NO", but "NO FUCKING WAY, NO!"

Re:Dan Geer, the CISO of In-Q-Tel, (1)

Lonewolf666 (259450) | about 3 months ago | (#46998745)

Agreed, and even where a replacement would be easy, I think we have too much planned obsolescence already. Not all users will be computer-savvy enough to understand how to update their systems. This proposal would cause unnecessary costs and waste.

No thanks (0, Interesting)

Anonymous Coward | about 3 months ago | (#46997445)

What the guy is saying is all devices must be connected 24/7 or they will be removed from use. Since removal from use is obviously undesireable in the long run, his message is all devices must be connected all the time (possibly to "trusted" remote points managed by In-Q-Tel's masters - you know who you are).

What is this guy's definition of "remote"? Can I manage my embedded devices from my own servers? Is that not remote enough?

Does it have to be a "cloud" setup hosted somewhere deep in Utah with a bunch of Booz Allen people managing it?

Looking forward to remotely activated microphones in my washing machine and toaster, to improve the user experience.

Re:No thanks (0, Interesting)

Anonymous Coward | about 3 months ago | (#46997565)

What the guy is saying is all devices must be connected 24/7 or they will be removed from use. Since removal from use is obviously undesireable in the long run, his message is all devices must be connected all the time (possibly to "trusted" remote points managed by In-Q-Tel's masters - you know who you are).

What is this guy's definition of "remote"? Can I manage my embedded devices from my own servers? Is that not remote enough?

Does it have to be a "cloud" setup hosted somewhere deep in Utah with a bunch of Booz Allen people managing it?

Looking forward to remotely activated microphones in my washing machine and toaster, to improve the user experience.

You jest but I seriously think that the NSA is getting away with a lot of things right now, the latest generation proves that they simply cannot live without some form of cellphone on them at all times, now we are apparently being suckered into having mics and webcams in TVs to improve user experience (wait what?) apparently it's all about gestures. (What retard wants to wave at their TV? in all seriousness?) the remote is still the best way to interact with said TV.

And then we have HDMI networking interfaces coupled with on-demand TV, and suddenly the TV can actively spy on you for the NSA or other body.

1984 is here albeit 30 years late.. (thanks to a gullible population)

Re:No thanks (0)

Anonymous Coward | about 3 months ago | (#46998345)

Bingo. What is with this IoT push. All it does is expand the current problems we have.

Security 101: If worried about it, don't hook it up to the Net. It is sad reading about these marketdroids demanding that their stuff have Net access or disable themselves. Not everyone wants/needs their SCADA stuff online.

Yes, Stuxnet vectors are possible, but they have been since the beginning of time. Air-gapping means that an attacker has to get a physical presence in order to do harm, and not just hack from some hut in the swamp in Elbonia.

Re:No thanks (0)

Anonymous Coward | about 3 months ago | (#46998539)

Looking forward to remotely activated microphones in my washing machine and toaster, to improve the user experience.

What better way to connect you promptly to the call center in southeast asia, than to detect vocal patterns like "god fucking damned burned toast again!!!!!"

Terrible idea (4, Informative)

mirix (1649853) | about 3 months ago | (#46997451)

You'll have to install custom firmware to prevent things from having to go to the dump on their third birthday?

Seems pretty ridiculous, not to mention that it can still have a hole exploited on the day they launch the device, and not be updated for years (in it's allotted lifespan).

I'm more for the option of make things easier to update, and, the important part... actually release bloody updates! I'm looking at you, almost every embedded device manufacturer out there.

Re:Terrible idea (0)

Anonymous Coward | about 3 months ago | (#46997517)

If they started shipping all their routers with the password set to match the serial number with an SSH style lockout after X amount of failed attempts, TheMoon wouldn't work.

Also disable remote administration by default as well as WPA2 by default for WiFi

Re:Terrible idea (1)

CastrTroy (595695) | about 3 months ago | (#46997717)

This is why I will never buy an Android phone again. The lack of guaranteed updates is a huge problem. I have a hen which has decent hardware, but the software is stuck in the past. Apple and even Windows phones do a much better job at being kept up to date.

Re:Terrible idea (1)

silas_moeckel (234313) | about 3 months ago | (#46997763)

Try a Nexus, droid vendors tend to only update current far sale hardware and that changes every 6-12 months.

Re:Terrible idea (1)

Simulant (528590) | about 3 months ago | (#46997793)

Even Nexus is only good for a few years.... I'm holding my breath for another year of N4 updates.

Re:Terrible idea (0)

Anonymous Coward | about 3 months ago | (#46997977)

I thought so too and selected Nexus 5, but since purchase on January, it has got only one system update and that happened on the first day I used the phone. It seems that Google cares about bugs on already sold devices as much as anybody else in the industry.

Re:Terrible idea (2)

wolrahnaes (632574) | about 3 months ago | (#46998431)

I thought so too and selected Nexus 5, but since purchase on January, it has got only one system update and that happened on the first day I used the phone. It seems that Google cares about bugs on already sold devices as much as anybody else in the industry.

Android itself has not seen an update since then. The Nexus 5 initially shipped with 4.4.0 and got both 4.4.1 and 4.4.2 as soon as they were publicly announced. When Android 4.4.3 comes out (apparently soon) you're basically guaranteed to be the first device for which it's available.

Compare this to all the other phone vendors, who at least in the case of the large ones you know have had access to 4.4.3 for some time, where most devices still aren't on 4.4.2. Where devices are still being *launched* brand new and out of date the moment they're available.

Re:Terrible idea (2)

dbIII (701233) | about 3 months ago | (#46997781)

I have a hen which has decent hardware, but the software is stuck in the past.

Eggsactly.

Re:Terrible idea (0)

Anonymous Coward | about 3 months ago | (#46998601)

This is why I will never buy an Android phone again. The lack of guaranteed updates is a huge problem. I have a hen which has decent hardware, but the software is stuck in the past. Apple and even Windows phones do a much better job at being kept up to date.

I was pleasantly surprised to see a number of vendors planning on a 4.4 update, even to handsets that were (gasp) released over 2 years ago. The tide is slowly changing in the market, vendors are seeing value in churning out code to keep customers loyal. And to that end you have got to be fucking kidding me with Windows Phone. I don't care that the OS got an "update", if it can't run half the apps what goddamn good is it? I use both regularly (work shackles me with a Nokia piece of shit) and Android is so fucking far ahead of Windows Phone in terms of software maintenance and usability that it's not even worth comparing.

Re:Terrible idea (0)

Anonymous Coward | about 3 months ago | (#46997727)

Holy shit so many issues popup with embeded devices. Updates should be some what mandatory.

Re:Terrible idea (1)

jellomizer (103300) | about 3 months ago | (#46997935)

Never a good solution.

Techs who have been around before the year 2000 tend to have this policy. Upgrade only after it has been proven. This is a lesson they have learned because especially during the late 90's. Patches and Upgrades, didn't go in smoothly and often caused more problems then they fixed.
Today patching and upgrades tend to go in far more smoothly, however we still want to be sure that it is proven to work before we are the first to jump in.

Now this means our systems are also more vulnerable for a longer time, and may need to have a secondary means to protect yourself from the system.
 

Re:Terrible idea (1)

cusco (717999) | about 3 months ago | (#46998605)

Windows NT 3.51 Service Pack 3. 'Nuff said.

Re:Terrible idea (1)

funwithBSD (245349) | about 3 months ago | (#46998595)

Like androids in Bladerunner...

I've seen things you people wouldn't believe. Attack ships on fire off the shoulder of Orion. I watched C-beams glitter in the dark near the Tannhauser gate. All those moments will be lost in time, like tears in rain. Time to die.

Windows CE (-1, Flamebait)

lyberth (319170) | about 3 months ago | (#46997457)

If the embedded system is running Windows CE, then YES! DIE NOW. otherwise, i can't see why

Re:Windows CE (0)

Anonymous Coward | about 3 months ago | (#46997635)

Hey, my Sega Dreamcast include Windows CE (no the operative, but libraries for compatibility) and should NOT DIE!.

Re:Windows CE (1)

91degrees (207121) | about 3 months ago | (#46997853)

Why?

Not used it, but CE seems to be a perfectly adequate embedded OS, with some degree of actual support from the developer.

Re:Windows CE (1)

cusco (717999) | about 3 months ago | (#46998611)

And the vast majority of Win CE devices aren't even hooked up to a network so good luck exploiting them.

How to sound deep (2)

kruach aum (1934852) | about 3 months ago | (#46997465)

Imply the opposite of what is expected, without regard for reality, truth or common sense. Ex:

"'Is all the technologic dependency, and the data that fuels it, making us more resilient or more fragile?"

Look at this amazing thinker. Didn't he just blow your fucking mind?

Re:How to sound deep (2)

roninmagus (721889) | about 3 months ago | (#46997657)

There's also what I refer to as the "lone voice in the wilderness" effect. Whereby, whatever the issue, if someone simply states that they have an "inexpressible doubt" in something then they will seem to be the smartest person in the room. This is used quite often in political debates. It's also quite effective for opening up "I told you so" options later, when they never really told anyone anything.

Re:How to sound deep (0)

Anonymous Coward | about 3 months ago | (#46998341)

If they're so smart, why can't the express their doubt?

Wrong thing (0)

Anonymous Coward | about 3 months ago | (#46997467)

How about just not connect those systems on internet in first place? Seriously this is not hardware issue but people issue. Some idiot some where wants to be lazy and docent take time to properly secure systems..

my thermostat (3, Insightful)

spectrokid (660550) | about 3 months ago | (#46997477)

My thermostat will never be connected to anything and does not need an end of life thank you very much. And I want to see the manager who will approve buying this kind of stuff.

Re:my thermostat (0)

Anonymous Coward | about 3 months ago | (#46998107)

Talk to any one in the :
- Shoe industry
- Car part industry
- Clothing industry
- etc

Merchandise from these are all designed to fail. It creates more repeat business. Check out the movie "Kinky Boots" as it touches on this subject.

Planned obsolescence (4, Interesting)

Melkman (82959) | about 3 months ago | (#46997487)

What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.

Not so sure (0)

Anonymous Coward | about 3 months ago | (#46997561)

A guaranteed replacement market is a wet dream for any market.

Seems like vedor lock in and constantly running support deals are a better deal. If the crappy pos requipment dies the next one purchased might be from your competitor who actually developed their product instead of sat on the castpiles. If the pos product instead only fails slighty you'll get endless support revenue. Bleed the sucker so dry he can't afford to replace the pos equipment.

Re:Planned obsolescence (2)

Vlad_the_Inhaler (32958) | about 3 months ago | (#46997877)

I think *that* is the main point of this idea, security is just a way of selling it.

Re:Planned obsolescence (1)

inasity_rules (1110095) | about 3 months ago | (#46997999)

A lot. You can't do that with a PLC as that would be clinically insane and might have serious safety/economic ramifications. No engineer worth his salt would touch such a device. You might configure it to simply fail to startup after a powerdown on a certain date, but not have it stop while the system is running.

Re:Planned obsolescence (1)

thegarbz (1787294) | about 3 months ago | (#46998441)

You might configure it to simply fail to startup after a powerdown on a certain date, but not have it stop while the system is running.

Interesting thought which breaks down when you consider that many such devices are power down only when they reach end of life and need replacing. Anyway the commercial impact is still ludicrous. Go stand in front of management and tell them we are losing $1000000 per day because the power outage triggered an and of life time bomb in the control system and the vendor needs 6 weeks to ship a new one.

The entire premisepremise is retarded, protesting things should artificially due because a vendor refuses to provide security fixes.

Re:Planned obsolescence (1)

inasity_rules (1110095) | about 3 months ago | (#46998775)

I would agree, though I have had a number of long running plants I have sat in front of that were offline for weeks because they were "broken", and investigation showed that the operator had simply forgotten how to look for and clear a startup error....

It is ridiculous in any case, and I don't think it is a good idea. The trouble is, in a long running plant, they will never apply any "security fix" because that means shutting down the system anyway. Possibly even re-commissioning and testing the damn thing anyway, depending on policy. This is why most of the time people go with air gaps and such. Not always possible, but it is a bit of a tricky problem.

Re:Planned obsolescence (1)

cusco (717999) | about 3 months ago | (#46998637)

A manufacturer who implements this will see his customer base abandon him in droves and will be reduced to only doing work for the consumer market. I have worked on access control systems that have been in place for well over 20 years, I would never install one that we knew would fail after 3.

Re:Planned obsolescence (1)

jeffmeden (135043) | about 3 months ago | (#46998687)

What could possibly go wrong ? A PLC controlling a plant stopping at some random date is perfectly acceptable, right. I'm sure manufacturers will love this. A guaranteed replacement market is a wet dream for any market.

Obsolescence is already planned for every single product, no matter what, period. If done properly (imho) then a guarateed fail-by date would cause the realization that the true cost of ownership per year for a system would include the cost of scrapping it when it's too old to work right. Today, what happens is a system is bought because it fit in the budget this year, and it's held on to for as long as possible, long after security and failure risk have climbed way way up past an acceptable point, because "it still works, don't it?" This "let me keep it as long as I want" mentality is exactly what causes many poor decisions and big big problems. If a part in a plant isn't being tracked right down to the date/time of manufacture, of installation (and who installed it and what software it had) then you are already Doing It Wrong. A rolling plan of "here are 10 cards we need to replace this month" is perfectly workable in any modern operation. If not, you deserve for your plant to shut down sooner rather than later.

Here's a better idea (5, Interesting)

msobkow (48369) | about 3 months ago | (#46997495)

Here's a better idea. Charge anyone who ships unpatchable and unpatched hardware with sponsoring terrorism, because it's their laziness causing the problem.

Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?

Better still (0)

Anonymous Coward | about 3 months ago | (#46997665)

Better still, you should have a choice: a $30 unpatchable router with a 3 year lifespan, or a $50 patchable router.

Also, if your router is found to be harboring terrorists, it should be arrested and detained indefinitely at Gitmo.

Re:Better still (1)

parkinglot777 (2563877) | about 3 months ago | (#46998307)

Better still, you should have a choice: a $30 unpatchable router with a 3 year lifespan, or a $50 patchable router.

$30 is not worth it if it is vulnerable out of the shelf when you bought it. Also, how long do you think each product would be in a store before it is sold? So no to unpatchable because the patchable is still a safer choice.

Re:Better still (1)

hendrips (2722525) | about 3 months ago | (#46998591)

How nice of you to make that decision for everyone else. Believe it or not, it is actually possible that sometimes the more expensive, more secure option doesn't offer enough benefits to outweigh the increased costs in certain use cases.

I'm sure that my cheapo router at home doesn't meet your lofty standards of safety. I understand the potential security risks that this router poses reasonably well. I could have spent $50 extra to buy a "better" router, then spent an evening or so figuring out how to hack it so I could put your approved firmware on it. But I don't, because it's a freaking home router, and I've made a reasoned decision that the security benefits don't outweigh the extra time, money, and hassle. Maybe I'm wrong about that (though I seriously doubt it), but why shouldn't I get to make that decision?

Re:Better still (2)

Imagix (695350) | about 3 months ago | (#46998749)

but why shouldn't I get to make that decision

Because your "reasoned" decision apparently doesn't take into account the threat you now represent to everybody else.

Re:Here's a better idea (0)

Anonymous Coward | about 3 months ago | (#46997687)

Why the hell should I be forced to buy, buy, and rebuy the same god damned hardware over and over to save them from patching their shitty systems that they sell?

Because capitalism.

Re:Here's a better idea (1)

Sarten-X (1102295) | about 3 months ago | (#46998047)

Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?

If you want eternal support, you should buy from a vendor that offers eternal support at a suitably expensive price. If there isn't such a vendor, you should re-engineer your solution to include only components that have such support, or build those parts yourself.

Re:Here's a better idea (1)

Nimey (114278) | about 3 months ago | (#46998329)

To be devil's advocate (I don't necessarily agree with the author's proposition, though I can see how he got there), your business model of making cheap crap doesn't deserve protection; either adapt and make more expensive, maintainable stuff or die.

An even better idea. (0)

Anonymous Coward | about 3 months ago | (#46998373)

Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?

Then you don't belong in the business. Find another business to get into.

Why is it that businesses get favorable treatment and is protected when their business is outdated but when one of us peons have "outdated" skills we're screwed?

Retraining? Can't get a job without experience in THAT field or skill.

So, what's good for us peons is good for businesses.

Can't survive or make enough money with your current business model? Well, fuck you - move to another business.

Re:Here's a better idea (1)

cusco (717999) | about 3 months ago | (#46998651)

you should buy from a vendor that offers eternal support at a suitably expensive price.

We will. Enjoy your descent into the hell of the consumer market because commercial and industrial customers will abandon you immediately.

Re:Here's a better idea (1)

jeffmeden (135043) | about 3 months ago | (#46998755)

Or to put it another way, why the hell should I, as a manufacturer, be forced to pay, pay, and pay again for people to make updates for a cheap piece of hardware that barely covered its own cost in the first place?

If you want eternal support, you should buy from a vendor that offers eternal support at a suitably expensive price. If there isn't such a vendor, you should re-engineer your solution to include only components that have such support, or build those parts yourself.

You are presuming that humans are any good at all at assessing the risk of something as nuanced as purchasing something with no (meaningful) support. Does it work when I install it? No, ok take it back and get a new one. Yes, ok great leave it there until it stops working. Wait, there are two versions I can buy, they both do the exact same thing, but this one is twice as much because it comes with a 3 year service warranty? Fuck that I won't need it 3 years from now anyway, that is someone elses problem.

Absolutely not (4, Insightful)

Ceriel Nosforit (682174) | about 3 months ago | (#46997501)

These are not consumer items. Industrial systems seldom live just one life, and after being decommissioned they usually go up for action to be recommissioned somewhere else. If you artificially disrupt this dynamic you cause enormous economic loss, and for what? To perpetuate a buzzword?

The entire proposal is barking up the wrong tree.

It is however a moderately interesting insight into the echo-chamber of national intelligence. Rather funny to see how Mr. Geer talks about monocultures while laying on their own lore _thick_.

Re:Absolutely not (1)

Wizardess (888790) | about 3 months ago | (#46997527)

Not just barking up the wrong tree but also just plain barking mad, absurd, off the wall, and possibly . . . . . a troll.

{O.O}

Re:Absolutely not (1)

Ceriel Nosforit (682174) | about 3 months ago | (#46997567)

Any troll elaborate enough is indistinguishable from a valuable contribution. ;)

His philosophy is geared for rhetoric alone, like the ancient Greek, and not for enlightened self-interest.

What about devices with no RTC? (4, Insightful)

pipedwho (1174327) | about 3 months ago | (#46997513)

If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?

You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).

What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.

Re:What about devices with no RTC? (1)

caitriona81 (1032126) | about 3 months ago | (#46997661)

Simple enough. Skip the clock entirely, and let the battery itself be the "clock". The battery dies, and the device no longer operates. It's not particularly difficult to design a system with an embedded, non-rechargable battery that lasts for a specified lifespan. There may be some variability in that time, but you can get close enough this way to kill off neglected devices by a certian point.

Re:What about devices with no RTC? (3, Insightful)

RDW (41497) | about 3 months ago | (#46997843)

Simple enough. Skip the clock entirely, and let the battery itself be the "clock". The battery dies, and the device no longer operates. It's not particularly difficult to design a system with an embedded, non-rechargable battery that lasts for a specified lifespan. There may be some variability in that time, but you can get close enough this way to kill off neglected devices by a certian point.

Take out 'non-rechargeable' and this is pretty much Apple's business model.

Re:What about devices with no RTC? (0)

Anonymous Coward | about 3 months ago | (#46997895)

Gaming industry has and uses suicide batteries.
http://www.retroclinic.com/leopardcats/decrypt/decryption.htm

Re:What about devices with no RTC? (1)

jeffmeden (135043) | about 3 months ago | (#46998799)

If a device does not have a way to keep track of time (eg. in built real time clock, with backup battery that will last for the duration of the device's 'lifetime'), then it becomes vulnerable to permanent denial of service when something spoofs a fake future date and time. What happens when a hundred thousand devices go offline because someone spoofed an NTP response?

You may as well force every device to have a kill switch and remotely shut it down when it's too old. At least that'll probably require some kind of public key signature from an authenticated service (in the same way you'd authenticate a remote firmware update).

What I'm trying to say is this is one of those 'management ideas' that sounds great in the philosophical sense, but fails in technical merit.

That's easy, let it count the hours it runs (as most devices already do) irrespective of time. After 3 years (or whatever) of operation, it stops or creates an annoying ass alarm buzz or something.

And more to the point, you have probably hit on the real "solution" to the security issue, a remote kill switch. If a vulnerability gets in the wild, simply kill all the affected devices until they can be reflashed with a fixed version (and a new timer). That's what you want to have happen anyway, right? 10 million silenced PLCs instead of 10 million nodes of some new botnet, attacking and putting at risk the other 10 billion devices on the net.

Sympathy, but no go (5, Insightful)

gnalre (323830) | about 3 months ago | (#46997515)

As someone who has to support legacy systems, there is nothing more I would like to see old embedded systems die (and in some cases, incinerated and the embers crushed into the ground).

But we have to be realistic.

The main effort in systems like SCADA is the commissioning time required. You cannot just rip out a system, plug in a new box and expect everything to work as before.

Secondly who pays for this? The customer will not be happy if we say every 5 years we say you have to close your factory down for 2 weeks while we rip out all your old boxes and replace with new ones.

Finally what is the guarantee that the new box has not introduced a new security hole?

The real solution is the segmentation of the security and application code. Use Trusted boot technologies to verify the running code and ring fence the code with your security management application. Then if a new threat is introduced you only need to update the security app, leaving the hardware and application untouched.

Unfortunately at present industrial application either have no security or are very closely coupled meaning that updates are difficult and costly.

This is actually already a big problem (4, Interesting)

Stephen Bryant (3653487) | about 3 months ago | (#46997579)

There are a lot of cars, insurance telematics devices, security alarms, etc. sitting on mobile phone networks generating signaling and consuming radio resources. They were designed in the early days and largely not reachable. Simply terminating the credentials in the network doesn't help - it actually makes the problem worse because the firmware on the device is often quite aggressive and keeps trying to attach. This is something that has absorbed a lot of my time combating and there are efforts in standards bodies to address. This approach actually a pretty good idea IMO.

Re:This is actually already a big problem (1)

drainbramage (588291) | about 3 months ago | (#46998209)

Are you the dude that got HP to put 'time out' chips in their print cartridges?

Blinkered (4, Informative)

AlecC (512609) | about 3 months ago | (#46997593)

This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned. Should my wristwatch, washing machine, car ignition controller, garage door opener, swimming pool pump, dumb TV, bank vault, disk drive, mouse, keyboard, etc all die prematurely because somebody else makes a router that can be prejudiced. There are literally billions of embedded devices in the world,. of which probably less than one a thousand is connected to the internet. Yet this seems to be suggesting that we should kill a thousand devices because one /might/ be prejudiced.

Re:Blinkered (1)

TeknoHog (164938) | about 3 months ago | (#46998753)

This guy has an incredible blinkered view of "embedded devices". Most embedded devises are not connected to the Interned.

Did you mean: Most people who design such devices are interned.

roybatty.exe (1, Offtopic)

ktakki (64573) | about 3 months ago | (#46997595)

I've... seen things you people wouldn't believe... Iranian cerntrifuges on fire off the shoulder of Orion. I watched c-beams glitter in the dark near the Ford River Rouge Assembly Plant. All those... moments... will be lost in time, like tears... in... rain.

  Time... to die...

Re:roybatty.exe (1)

Gibgezr (2025238) | about 3 months ago | (#46997859)

Thank you, you made my morning.

Re:roybatty.exe (1)

Wormsign (1498995) | about 3 months ago | (#46998321)

I came here to post this reference. Thanks.

Not necessarily a bad idea (0)

Anonymous Coward | about 3 months ago | (#46997613)

Unlike everyone else it seems, I think this might actually be a Good Thing if:
1) it's clearly announced up front so no-one has gripes about things going out of order, preferrably with a big huge honking counter visible on the front panel
2) it's implemented in a sensible way instead of introducing new remotely exploitable killswitch (think inkjet printers already having a waste inkpad for cleaning and keeping track of how many times it's been used)
3) most importantly manufacturers are obliged to take care of their products in form of security updates and so forth for the lifespan, preferrably regulated by laws and/or by the threats of lawsuits if they fail to deliver

Real problem but wrong solution (1)

caitriona81 (1032126) | about 3 months ago | (#46997639)

1. From a security standpoint, in a highly controlled environment, remote update capability is also a security risk, no matter how supposedly "secure" that capability is. The ability to configure the hardware so that hands on thr device are required to apply updates is important. Physical security is easier to verify than logical security - it's much easier to inspect seals, padlocks, and security tags than it is to inspect the device firmware.,
2. Flash memory is relatively cheap, especially in the small sizes needed for firmware. The hardware required to read formware from a removable memory card is relatively inexpensive compared to the total retail price of most embedded hardware, even consumer-grade embedded hardware. Thus, firmware replacement through replacement of a compactflash/sd/microsd card is a viable option that can be easily designed in to these systems. The ability to remotely update that firmware could then either be omitted, or able to be disabled through jumpers, switches, etc.
3. Manufactuers need to recognize that hardware will last longer than it's designed, and will remain in service with someone for far longer than originally intended, and plan accordingly. Releasing the firmware and documentation under suitable free software / open source licenses from day one would be ideal, but if this isn't compatable with their business model, some form of code/documentation escrow process that gurantees eventual release of the code at "end of life" would be a viable alternative which would not significantly weaken their buisness model.

Re:Real problem but wrong solution (1)

ebyrob (165903) | about 3 months ago | (#46998583)

Exactly.

These things need to be built robust and secure in the first place or no amount of "remote management" is going to fix the problem.

Why is it so impossible that a product could be created and released, and still perfectly functional after 10 years with no need of a single software upgrade? Because we have no quality control of any value in the software industry. If a car (or worse airplane) suddenly died because it was 5 years old, the manufacturer would be out of business in a week.

as far as the topic of technology (1)

FudRucker (866063) | about 3 months ago | (#46997693)

Ted Kaczynski Manifesto "Industrial Society and Its Future," is possibly correct, Technology is getting to own civilization, or rather the powers that be will inevitably use it against civilization reducing people to the status of cattle

http://www.foxnews.com/opinion... [foxnews.com]

Re:as far as the topic of technology (1)

ebyrob (165903) | about 3 months ago | (#46998599)

Perhaps you should read the right to read: http://www.gnu.org/philosophy/... [gnu.org]

This idea has been around a long long time, and there are even people trying to protect you from that particular distopian future.

Very stupid rent seeking idea (1)

dbIII (701233) | about 3 months ago | (#46997759)

Very stupid rent seeking idea - especially when it involves all those little things in dusty corners relied upon to "just work" and whatever cold spares are around in case they break.
It's equivalent to demanding that people replace thirty year old transistor radios in their kitchens and workshops.

Rediculous premise (3, Insightful)

mschaffer (97223) | about 3 months ago | (#46997801)

This is based on a ridiculous premise that newer=more secure.

Who is going to pay for all of this?
What happens when someone forgets to replace some critical controller (gee, I thought your group was in charge of replacing it...)?

Also, what's In-Q-Tel's real motive? Mandating a secret back-door so that the CIA can have access to what they want? Or, are they quietly investing in Siemens, Rockwell Automation, Hitachi, and the like?

Greedy CEOs just smiled a little bit more... (0)

Anonymous Coward | about 3 months ago | (#46997823)

Stagnant wages for the bottom 90% of workers for 30+ years. Average CEO pay now 350+ times the average worker pay. Planned obsolescense becoming mainstream acceptable? Priceless.

Here's a better idea (0)

Anonymous Coward | about 3 months ago | (#46997909)

Actually design these things to be RELIABLE: use languages such as Erlang; and do correctness proofs of central modules. Business applications are just hacked up, by coding them. That is not viable for real time systems. We are headed for a world in which 5% of the countless things around us are always broken or misbehaving. It will suck. Cowboy coding is going to make garbage of our tech future.

Disable Automatic Shutdown (1)

Deideldorfer (514118) | about 3 months ago | (#46997919)

This will solve nothing. The first thing you'll do after you've pwnd one of these systems is to disable the automatic shutdown

Not a single Bladerunner reference? (0)

Anonymous Coward | about 3 months ago | (#46997963)

I am disappoint.

Yes (1)

Murdoch5 (1563847) | about 3 months ago | (#46998025)

I've recently started to put a time tracking system in all my embedded firmwares that lock out the system after X amount of time ( usually in years ), the only way to clear the lock out is to send the part back to my company so we can inspect it. It's no longer suitable to use mean life expectancy of parts as the bench mark for the life of a product, this has made it almost impossible to calculate a real end of life date, instead it's much more practical to do what I've started and to require the products to get serviced by the engineer every X amount of time.

Another Solution (2)

McDrewbie (530348) | about 3 months ago | (#46998169)

Maybe we should realize that not everything needs to be computerized and networked and the like. Not everything needs to be "smart".

Which also allows... (0)

Anonymous Coward | about 3 months ago | (#46998221)

...a government actor the ability to compromise each subsequent new generation of hardware on a schedule.

Sorry, In-Q-Tel, but you really don't realize that post Snowden any information provided to the public by the Intelligence Establishment is now automatically untrustworthy, akin to Watergate? Oh, and you are part of the Intelligence Establishment, however removed you want to claim to be.

Time-based end of life not very helpful (3, Insightful)

Idarubicin (579475) | about 3 months ago | (#46998269)

Okay, so my new device (a LeakyTech router, say) has a five-year expiry clock on it. A vulnerability is discovered a year after I buy it. It spends 80% of its lifetime completely exposed. I'm now out of pocket for the cost of a new device every five years, and I'm only protected for 20% of the time. Nice.

Or, my new device (from Securitron, this time) is actually quite secure. It takes ten years for the bad guys to find an unpatched or unpatchable hole. Five years of reliable, trustworthy use I could have had get thrown away. I've pointlessly reduced the safe, working lifetime of my electronic device by 50%, doubling my hardware cost and incurring extra downtime for no improvement in my security. Nice.

Better yet, I've gone through a couple of cycles of forced obsolescence. This time around, I've moved from the Securitron product to the LeakyTech one, and now introduced a hole in my security that wasn't there before. Either the LeakyTech device has another rapidly-discovered vulnerability - maybe it was introduced when they tried to patch their first one-year defect- or I didn't configure the new hardware properly when I was making my enforced switchover. Nice.

Oh great. (3, Insightful)

funwithBSD (245349) | about 3 months ago | (#46998297)

More DRM killswitches.

NSA! (0)

Anonymous Coward | about 3 months ago | (#46998349)

How can the NSA plant backdoors into networked industrial controls without some sort of method to force industry to purchase new controllers on a regular basis?

Planned Obsolescence (0)

Anonymous Coward | about 3 months ago | (#46998367)

So you're telling me I'm going to have to replace my perfectly good refrigerator just because the (unnecessary) gee-whiz module that lets me check its temperature on my iPhone hit its expiration date? This is a win for manufacturers and a huge loss for everyone else

Here's what I propose: make the manufacturer legally (and financially) responsible for any security incidents over the lifetime of the product. I'm sure, through the magic of the marketplace, that the vendors will suddenly discover some way to make their embedded systems either upgradable.

What a waste (2)

morgauxo (974071) | about 3 months ago | (#46998427)

This sounds more like an idea for hardware companies that want to ensure people keep buying their new stuff. It's like chipped printer cartridges.

First off.. how about just making things updateable?

Second, how about not connecting things to the internet that don' t have a reason to be?

The last thing we need is yet more perfectly functional electronics sitting in the bottom of landfills.

Lets flip it around (1)

sjames (1099) | about 3 months ago | (#46998549)

How about we make the manufacturer either maintain support for the device or release full specs (including source and a sane build environment) to their customers and any signing keys they might need to update the things themselves.

My plan is more fair abnd might keep things out of the landfill rather than filling it faster.

Preview of resistance... (1)

DriveDog (822962) | about 3 months ago | (#46998565)

Tire manufacturers in the US resist tires having expiration dates. Why would they mind, since that might increase demand for replacements? Distributors and retailers might mind since it means their inventory loses market value quicker than it would otherwise. Supposedly the manufacturers fear that having an expiration date will imply to consumers that their tires should last until that date. The lifetime might be set at 6 years, which is longer than most tires' tread lasts.

To some degree I'd expect this sort of thinking to apply here.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>