Passwords have a dopey equal in Things on the Internet
The much maligned password has an equally dopey digital neighbor in Things on the Internet.
What could possibly go wrong with hordes of technically challenged users plugging vulnerable digital cameras into the internet then retiring to their home theater to watch junior toss and turn in his sleep, and devise a seven-character pasw0rd for their financial services account?
A lot, it appears, if you're running an internet infrastructure company called Dyn. Last week, the company was knocked offline by a toxic alignment of poorly configured and constructed Things, and a malware strain called Mirai.
It's bad enough that individuals routinely rip holes in their own digital lives with their weak passwords, but now those same wacky technicians are empowering a fire-breathing menace that moves at 620 gigabits per second.
The Internet of Things is still very much a lab experiment. Things on the Internet is a comedy-of-errors reality show. While the internet is an established and massively connected global communication network, Things have little need beyond novelty for internet connections.
If there are any questions as to the importance of proper access controls, they were answered last week. But there are more questions coming.
Senator Mark Warner (D-Va.) sent questions last week to the Federal Communications Commission (FCC), the Federal Trade Commission (FTC) and the Department of Homeland Security (DHS). He is waiting for responses.
Sen. Warner has become Capitol Hill's internet question and answer man. Last month Warner asked the Securities and Exchange Commission (SEC) to investigate in the wake of Yahoo's surprise acknowledgement of a two-year-old hack that involved 500 million user accounts. It was just another access control catastrophe.
But Things on the Internet don't need an investigation, they need time, standards, engineers and innovation so they can securely play on a massively connected global communication network. (A moratorium on internet connections wouldn't hurt either.)
What's missing includes a common language for devices to talk to one another, an identity and security layer for identifying and verifying "Things," standard security constructs that define upgrades to firmware or software, and methods to combat devices that are compromised and assimilated into botnets.
And we haven't even begun to address data collection and privacy issues.
Welcome to the neighborhood.