Skip to content

Facebook Wielded Data to Reward, Punish Rivals, Emails Show

Is anyone surprised?

Quote

Facebook Inc. wielded user data like a bargaining chip, providing access when that sharing might encourage people to spend more time on the social network — and imposing strict limits on partners in cases where it saw a potential competitive threat, emails show.

A trove of internal correspondence, published online Wednesday by U.K. lawmakers, provides a look into the ways Facebook bosses, including Chief Executive Officer Mark Zuckerberg, treated information posted by users like a commodity that could be harnessed in service of business goals. Apps were invited to use Facebook’s network to grow, as long as that increased usage of Facebook. Certain competitors, in a list reviewed by Zuckerberg himself, were not allowed to use Facebook’s tools and data without his personal sign-off.

In early 2013, Twitter Inc. launched the Vine video-sharing service, which drew on a Facebook tool that let Vine users connect to their Facebook friends. Alerted to the possible competitive threat by an engineer who recommended cutting off Vine’s access to Facebook data, Zuckerberg replied succinctly: “Yup, go for it.”

A spokeswoman for Twitter declined to comment.

In other cases Zuckerberg eloquently espoused the value of giving software developers more access to user data in hopes that it would result in applications that, in turn, would encourage people to do more on Facebook. “We’re trying to enable people to share everything they want, and to do it on Facebook,” Zuckerberg wrote in a November 2012 email. “Sometimes the best way to enable people to share something is to have a developer build a special purpose app or network for that type of content and to make that app social by having Facebook plug into it. However, that may be good for the world but it’s not good for us unless people also share back to Facebook and that content increases the value of our network.”

Dutch court rejects man’s request to be 20 years younger

Well although not exactly IT news, I wanted to post this. I sort of get it. As I read the article, I immediately thought of the rampant age discrimination in IT/ICT (as well as other industries). Sure, not all seniors have kept up, but many have and they have a tremendous amount to contribute. It is tragedy that they are kicked to the curb of Walmart greaters.

Yeah yeah – maybe Emile Ratelband is not the best example, but his bid does shed light on a deeply troubling subject, especially in the IT/ICT industry.

Quote

A Dutch court has rejected the request of a self-styled “positivity guru” to shave 20 years off his age, in a case that drew worldwide attention.

Last month Emile Ratelband asked the court in Arnhem to formally change his date of birth to make him 49. He said his official age did not reflect his emotional state and it was causing him to struggle to find work and love.

He claimed he did not feel 69 and said his request was consistent with other forms of personal transformation gaining acceptance around the world, such as the right to change name or gender.

In a written ruling on Monday, the court said Dutch law assigned rights and obligations based on age “such as the right to vote and the duty to attend school. If Mr Ratelband’s request was allowed, those age requirements would become meaningless.”

In a press statement, the court said: “Mr Ratelband is at liberty to feel 20 years younger than his real age and to act accordingly. But amending his date of birth would cause 20 years of records to vanish from the register of births, deaths, marriages and registered partnerships. This would have a variety of undesirable legal and societal implications.”

The court said it acknowledged “a trend in society for people to feel fit and healthy for longer, but did not regard that as a valid argument for amending a person’s date of birth”.

It said Ratelband failed to convince the court that he suffered from age discrimination, adding that “there are other alternatives available for challenging age discrimination, rather than amending a person’s date of birth”.

Ratelband was undeterred by the court’s rejection and vowed to appeal. “This is great!” he said. “The rejection of {the] court is great … because they give all kinds of angles where we can connect when we go in appeal.”

He said he was the first of “thousands of people who want to change their age”.

Break up Facebook (and while we’re at it, Google, Apple and Amazon)

Reich concludes “We must resurrect antitrust” – yes and we need to do that very fast.

Quote

Big tech has ushered in a second Gilded Age. We must relearn the lessons of the first, writes the former US labor secretary

Last week, the New York Times revealed that Facebook executives withheld evidence of Russian activity on their platform far longer than previously disclosed. They also employed a political opposition research firm to discredit critics.

There’s a larger story here.

America’s Gilded Age of the late 19th century began with a raft of innovations – railroads, steel production, oil extraction – but culminated in mammoth trusts owned by “robber barons” who used their wealth and power to drive out competitors and corrupt American politics.

We’re now in a second Gilded Age – ushered in by semiconductors, software and the internet – that has spawned a handful of giant hi-tech companies.

Facebook and Google dominate advertising. They’re the first stops for many Americans seeking news. Apple dominates smartphones and laptop computers. Amazon is now the first stop for a third of all American consumers seeking to buy anything.

“Amazon the first stop..” — The main reason is that they have allowed illegal predatory pricing to drive out competition. And Amazon is usually never a good deal. Check it out carefully: Prime products are always more expansion than elsewhere even on the Amazon site. With Prime you pay twice. Brilliant!

This consolidation at the heart of the American economy creates two big problems.

First, it stifles innovation. Contrary to the conventional view of a US economy bubbling with inventive small companies, the rate at which new job-creating businesses have formed in the United States has been halved since 2004, according to the census.

A major culprit: big tech’s sweeping patents, data, growing networks and dominant platforms have become formidable barriers to new entrants.

The second problem is political. These massive concentrations of economic power generate political clout that’s easily abused, as the New York Times investigation of Facebook reveals. How long will it be before Facebook uses its own data and platform against critics? Or before potential critics are silenced even by the possibility?

America responded to the Gilded Age’s abuses of corporate power with antitrust laws that allowed the government to break up the largest concentrations.

President Teddy Roosevelt went after the Northern Securities Company, a giant railroad trust financed by JP Morgan and John D Rockefeller, the nation’s two most powerful businessmen. The US supreme court backed Roosevelt and ordered the company dismantled.

In 1911, President William Howard Taft broke up Rockefeller’s sprawling Standard Oil empire.

It is time to use antitrust again. We should break up the hi-tech behemoths, or at least require they make their proprietary technology and data publicly available and share their platforms with smaller competitors.

There would be little cost to the economy, since these giant firms rely on innovation rather than economies of scale – and, as noted, they’re likely to be impeding innovation overall.

But is this politically feasible? Unlike the Teddy Roosevelt Republicans, Trump and his enablers in Congress have shown little appetite for antitrust enforcement.

Republicans rhapsodize about the “free market” but have no qualms about allowing big corporations to rig it at the expense of average people. Yet as the late Robert Pitofsky, former chairman of the Federal Trade Commission, once noted: “Antitrust is a deregulatory philosophy. If you’re going to let the free market work, you’d better protect the free market.”

But the Democrats, for their part, have shown no greater appetite for antitrust – especially when it comes to big tech.

In 2012, the staff of the FTC’s bureau of competition submitted to the commissioners a 160-page analysis of Google’s dominance in the search and related advertising markets, and recommended suing Google for conduct that “has resulted – and will result – in real harm to consumers and to innovation”.

But the commissioners, most of them Democratic appointees, chose not to pursue the case.

The Democrats’ recent “better deal” platform, which they unveiled a few months before the midterm election, included a proposal to attack corporate monopolies in industries as wide-ranging as airlines, eyeglasses and beer. But, notably, the proposal didn’t mention big tech.

Maybe the Democrats are reluctant to attack the industry because it has directed so much political funding to Democrats. In the 2018 midterms, the largest recipient of big tech’s largesse, ActBlue, a fundraising platform for progressive candidates, collected nearly $1bn, according to the Center for Responsive Politics.

As the New York Times investigation makes clear, political power can’t be separated from economic power. Both are prone to abuse.

Antitrust law was viewed as a means of preventing giant corporations from undermining democracy. “If we will not endure a king as a political power,” thundered Ohio’s Senator John Sherman, the sponsor of the nation’s first antitrust law in 1890, “we should not endure a king over the production, transportation and sale” of what the nation produced.

In the second Gilded Age as in the first, giant firms at the center of the American economy are distorting the market and our politics.

We must resurrect antitrust.

Here are another 45,000 reasons to patch Windows systems against old NSA exploits

QUOTE

It’s 2018 and UPnP is still opening up networks – this time to leaked SMB cyber-weapons

Earlier this year, Akamai warned that vulnerabilities in Universal Plug’N’Play (UPnP) had been exploited by scumbags to hijack 65,000 home routers. In follow-up research released this week, it revealed little has changed.

Having revisited its April probing, the web cache biz has come to the conclusion that the security nightmare it dubbed “UPnProxy” is still “alive and well.”

Yep, no surprise here. No one cares. And the home routers that the likes of Verizon gives are pure crap that a wet boy-scout could hack. But hell, just hook all your IoT devices to it and your safe, right? Grrhhh.

The only way to truly secure a router from UPnProxy attacks is to reflash the hardware, clearing any attacker-injected configuration and installing patched firmware, where available. Oh, and turn UPnP off, which has been standard advice for a decade.

The problem is basically this: it’s possible to send carefully crafted HTTP requests to public-facing UPnP services running on various routers to access their internal networks, or relay traffic through the gateways to other machines on the internet. With access to a home LAN, it’s possible to attack and infect connected PCs and gizmos. These UPnP vulns, described here [PDF], have not been comprehensively patched.

Scanning the internet once again, Akamai found that out of a pool of 3.5 million potentially vulnerable routers, 277,000 were still open to UPnProxy, and 45,000 have been hijacked. The latest twist is that whoever commandeered these gateways has tried to port forward Windows file sharing aka SMB services from the internal PCs to the outside world so they can be exploited and remote-controlled by the leaked Eternal family of NSA cyber-weapons.

Patches are available for Windows to thwart attacks by EternalBlue et al: your ‘doze machines should not fall for these SMB-based infections if you’ve been keeping up to date, though your router may been snared if you haven’t disabled UPnP or patched it.
Details

Akamai’s security team explained in this blog post that a sign of infection is the appearance of “telltale routes” in the gateways’ port mappings. The essay also outlined how the hackers hijacked some 45,000 routers:

Network scanning – the attackers either mass-scanned the internet looking for machines presenting the Simple Service Discovery Protocol (SSDP) to the world that would reveal the UPnP service, and/or they targeted devices that use a static port (TCP/2048) and path (/etc/linuxigd/gatedesc.xml) for the UPnP daemons.
When a vulnerable device is found, the attackers set up SMB port forwarding from the LAN to the public internet, using the router’s built-in configuration web portal, so that the miscreants can reach stuff on the LAN from outside.

Here is one example of the kind of Network Address Translation (NAT) forwarding rule the attackers could inject into a vulnerable router:

{“NewProtocol”: “TCP”, “NewInternalPort”: “445”, “NewInternalClient”: “192.168.10.212”, “NewPortMappingDescription”: “galleta silenciosa”, “NewExternalPort”: “47669”}

Once the miscreants have compromised a target, they then try to run the NSA-authored, Shadow Brokers-released EternalBlue (CVE-2017-0144), or the Linux variant EternalRed (CVE-2017-7494) against PCs behind the gateway to potentially hijack them.

EternalBlue has been used to infect machines since its release in April 2017, most famously in the WannaCry attacks that began in May 2017; EternalRed pwns *nix systems with a one-line Samba exploit.

Finally, the 45,000-ish hijacked routers have exposed a total of 1.7 million hosts on local networks to the public ‘net via UPnProxy. So that’s up to nearly two million computers the attackers may have compromised and roped into malware-controlled botnets, Akamai claimed. ®

Oh, I know the solution, let’s get a “suit” to do a 3 year study!

Marriott’s Starwood hotels had mega-hack exposing half a BILLION guests details

In case you missed it, Marriott’s Starwood hotels had mega-hack where half a BILLION guests’ details exposed over 4 years. Yes, that is right, it took them four year to discover and act.

I have prattled on about how I see little seriousness in IT security, and this hack is simply more proof about the abysmal state of affairs. But what the hell, when companies and governments practice rampant age discrimination against senior IT personnel that could really help in favor of cheaply paid newbies or book learned “management” types (we called them “suits”) that have never configured anything more than their coffee pot, what do expect?

Quote

US hotel chain Marriott has admitted that a breach of its Starwood subsidiary’s guest reservation network has exposed the entire database – all 500 million guest bookings over four years, making this one of the biggest hacks of an individual org ever.

“On September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database in the United States,” said the firm in a statement issued this morning. “Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014.”

Around 327 million of those guest bookings included customers’ “name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (‘SPG’) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.”

For an unspecified number, encrypted card numbers and expiration dates were also included, though Marriott insisted there was AES-128 grade encryption on these details, saying: “There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken.”

This could be read as a reference to salting and hashing though no further detail was supplied. We have contacted Marriott to double-check and will update this article if we hear back from them.

Having identified the breach, on 19 November Marriott and its investigators found an encrypted database online in an unspecified location. After decrypting it, they discovered a full copy of the entire Starwood guest reservation database.

Affected hotel brands include:

W Hotels
St. Regis
Sheraton Hotels & Resorts
Westin Hotels & Resorts
Element Hotels
Aloft Hotels
The Luxury Collection
Tribute Portfolio
Le Méridien Hotels & Resorts
Four Points by Sheraton
Design Hotels that participate in the Starwood Preferred Guest (SPG) program
Starwood branded timeshare properties

Arne Sorenson, Marriott’s prez and chief exec, said in a canned statement he “deeply regrets” this incident took place, adding that the company has set up a “dedicated website and call centre”.

Law enforcement in the US has been notified. The hotel chain is emailing customers now to inform them.

That customer information website is here (its info.starwoodhotels.com URL resolves to the domain of security firm Kroll) and it includes an offer to enrol affected customers into the Webwatcher personal info breach monitoring system. Those emails, said the firm, will come from the address starwoodhotels@email-marriott.com and “will not contain any attachments or request any information from you, and any links will only bring you back to this webpage”.

Affected or potentially affected customers are being warned to change their passwords and not use easily guessed ones.

Few hacks of individual firm’s customer data have come close to the scale of this one. The Yahoo! breach in 2013 saw three billion email accounts breached, while Carphone Dixons, the UK electronics retail chain, managed to lose control of 5.9 million sets of payment card data. In the US, the US Government Office for Personnel Management (which handles sensitive files on millions of government workers) had the personal data of 21 million employees’ breached by hackers. ®

U.S. Lawmaker Says Facebook Cannot Be Trusted to Regulate Itself

No shit Sherlock

Quote

WASHINGTON — Democratic U.S. Representative David Cicilline, expected to become the next chairman of House Judiciary Committee’s antitrust panel, said on Wednesday that Facebook Inc cannot be trusted to regulate itself and Congress should take action.

Cicilline, citing a report in the New York Times on Facebook’s efforts to deal with a series of crises, said on Twitter: “This staggering report makes clear that @Facebook executives will always put their massive profits ahead of the interests of their customers.”

“It is long past time for us to take action,” he said.

Facebook did not immediately respond to a request for comment.

Facebook Chief Executive Mark Zuckerberg said a year ago that the company would put its “community” before profit, and it has doubled its staff focused on safety and security issues since then. Spending also has increased on developing automated tools to catch propaganda and material that violates the company’s posting policies.

….

“We’ve known for some time that @Facebook chose to turn a blind eye to the spread of hate speech and Russian propaganda on its platform,” said Cicilline, who will likely take the reins of the subcommittee on regulatory reform, commercial and antitrust law when the new, Democratic-controlled Congress is seated in January.

“Now we know that once they knew the truth, top @Facebook executives did everything they could to hide it from the public by using a playbook of suppressing opposition and propagating conspiracy theories,” he said.

“Next January, Congress should get to work enacting new laws to hold concentrated economic power to account, address the corrupting influence of corporate money in our democracy, and restore the rights of Americans,” Cicilline said.

B.S. — Facebook can never put “community” before profits because its that community and the rape of their privacy that is the core Facebook business model. Who they kidding?

Delay, Deny and Deflect: How Facebook’s Leaders Fought Through Crisis

A great article worth a full read! Here we have Facebook creating their own Fake News to cover up their disgusting unethical behavior. This is a long and excellent read and highly recommended. It shows clearly facebook’s pattern of covering up its faults with lobbyists, misinformation, and outright lies.

Note to advertises: Withdraw all advertising on Facebook. Let them die.
Note to Facebook users: Delete your account now

Some brief excerpts…but again, read entire article to see how this disgusting company operates.

Quote

While Mr. Zuckerberg has conducted a public apology tour in the last year, Ms. Sandberg has overseen an aggressive lobbying campaign to combat Facebook’s critics, shift public anger toward rival companies and ward off damaging regulation. Facebook employed a Republican opposition-research firm to discredit activist protesters, in part by linking them to the liberal financier George Soros. It also tapped its business relationships, lobbying a Jewish civil rights group to cast some criticism of the company as anti-Semitic.

Anti-Semitic? Need any other proof of the amoral unethical behavior of Facebook? Disgusting. It is behavior that likes that leads to more anti-semitism. Shame!

In Washington, allies of Facebook, including Senator Chuck Schumer, the Democratic Senate leader, intervened on its behalf. And Ms. Sandberg wooed or cajoled hostile lawmakers, while trying to dispel Facebook’s reputation as a bastion of Bay Area liberalism.

This account of how Mr. Zuckerberg and Ms. Sandberg navigated Facebook’s cascading crises, much of which has not been previously reported, is based on interviews with more than 50 people. They include current and former Facebook executives and other employees, lawmakers and government officials, lobbyists and congressional staff members. Most spoke on the condition of anonymity because they had signed confidentiality agreements, were not authorized to speak to reporters or feared retaliation.

And now let’s see how they use misinformation to combat critics. It is clear that Facebook learned well from their Russian propaganda teachers.

In March, The Times, The Observer of London and The Guardian prepared to publish a joint investigation into how Facebook user data had been appropriated by Cambridge Analytica to profile American voters. A few days before publication, The Times presented Facebook with evidence that copies of improperly acquired Facebook data still existed, despite earlier promises by Cambridge executives and others to delete it.

Mr. Zuckerberg and Ms. Sandberg met with their lieutenants to determine a response. They decided to pre-empt the stories, saying in a statement published late on a Friday night that Facebook had suspended Cambridge Analytica from its platform. The executives figured that getting ahead of the news would soften its blow, according to people in the discussions.

They were wrong. The story drew worldwide outrage, prompting lawsuits and official investigations in Washington, London and Brussels. For days, Mr. Zuckerberg and Ms. Sandberg remained out of sight, mulling how to respond. While the Russia investigation had devolved into an increasingly partisan battle, the Cambridge scandal set off Democrats and Republicans alike. And in Silicon Valley, other tech firms began exploiting the outcry to burnish their own brands.

“We’re not going to traffic in your personal life,” Tim Cook, Apple’s chief executive, said in an MSNBC interview. “Privacy to us is a human right. It’s a civil liberty.” (Mr. Cook’s criticisms infuriated Mr. Zuckerberg, who later ordered his management team to use only Android phones — arguing that the operating system had far more users than Apple’s.)

Facebook scrambled anew. Executives quietly shelved an internal communications campaign, called “We Get It,” meant to assure employees that the company was committed to getting back on track in 2018.

Then Facebook went on the offensive. Mr. Kaplan prevailed on Ms. Sandberg to promote Kevin Martin, a former Federal Communications Commission chairman and fellow Bush administration veteran, to lead the company’s American lobbying efforts. Facebook also expanded its work with Definers.

On a conservative news site called the NTK Network, dozens of articles blasted Google and Apple for unsavory business practices. One story called Mr. Cook hypocritical for chiding Facebook over privacy, noting that Apple also collects reams of data from users. Another played down the impact of the Russians’ use of Facebook.

The rash of news coverage was no accident: NTK is an affiliate of Definers, sharing offices and staff with the public relations firm in Arlington, Va. Many NTK Network stories are written by staff members at Definers or America Rising, the company’s political opposition-research arm, to attack their clients’ enemies. While the NTK Network does not have a large audience of its own, its content is frequently picked up by popular conservative outlets, including Breitbart.

Mr. Miller acknowledged that Facebook and Apple do not directly compete. Definers’ work on Apple is funded by a third technology company, he said, but Facebook has pushed back against Apple because Mr. Cook’s criticism upset Facebook.

If the privacy issue comes up, Facebook is happy to “muddy the waters,” Mr. Miller said over drinks at an Oakland, Calif., bar last month.

Note to Sandberg: Take your money and retire from public life. The world will be a better place without your sleazy input.

‘No Morals’: Advertisers React to Facebook Report

Quote


Several top marketers were openly critical of the tech giant, a day after The New York Times published an investigation detailing how Facebook’s top executives — Mark Zuckerberg and Sheryl Sandberg — made the company’s growth a priority while ignoring and hiding warning signs over how its data and power were being exploited to disrupt elections and spread toxic content. The article also spotlighted a lobbying campaign overseen by Ms. Sandberg, who also oversees advertising, that sought to shift public anger to Facebook’s critics and rival tech firms.

The revelations may be “the straw that breaks the camel’s back,” said Rishad Tobaccowala, chief growth officer for the Publicis Groupe, one of the world’s biggest ad companies. “Now we know Facebook will do whatever it takes to make money. They have absolutely no morals.”

Marketers have grumbled about Facebook in the past, concerned that advertisements could appear next to misinformation and hate speech on the platform. They have complained about how the company handles consumer data and how it measures ads and its user base. But those issues were not enough to outweigh the lure of Facebook’s vast audience and the company’s insistence that it was trying to address its flaws.

And after this article was published online, Mr. Tobaccowala called The New York Times to add to his comments.

“The people there do,” he said, referring to possessing morals, “but as a business, they seem to have lost their compass.”

“So far, the track record basically has been that regardless of what Facebook does, they keep getting more money,” Mr. Tobaccowala said. “The question simply is, will this make people wake up?”

Good question! The stupidity of their user base and the equal stupidity, well actually complicity of their advertisers is a disgrace. What it may take is people to boycott those companies that advertise on Facebook. Maybe in this manner, the final nails can be put into the Facebook coffin.

Facebook Tells Advertisers It Can Reach Many Young People. Too Many

Quote

Facebook faced criticism on Wednesday after an analyst pointed out that the company’s online advertising tools claim they can reach 25 million more young Americans than the United States census says exist.

The analyst, Brian Wieser at Pivotal Research, said in a note Tuesday that Facebook’s Ads Manager says it can potentially reach 41 million 18- to 24-year-olds in the United States and 60 million 25- to 34-year-olds. The catch, according to Mr. Wieser: the census counted just 31 million 18-to-24-year-olds last year and 45 million 25-to-34-year-olds.

“The buyers and marketers I talked to were unaware of this and they are using it for planning purposes,” Mr. Wieser said in an interview. “Buyers are still going to buy from them and plan for them, but this is something that doesn’t need to be an error and puts every other metric they might provide into question.”

The criticism over audience figures comes as Facebook disclosed on Wednesday that hundreds of fake accounts apparently based in Russia had purchased $100,000 worth of political advertising during the American presidential election last year; the tech firm said it had shut down the accounts.

The census figure discrepancy is likely to be a setback for Facebook with advertisers and a boon for outside measurement companies like Nielsen and ComScore, particularly as Facebook vies to make video advertising a bigger part of its business, Mr. Wieser said. Mr. Wieser is one of two analysts with a “sell” rating on Facebook shares, compared to 42 “buy” recommendations and three “hold” ratings, according to data compiled by Bloomberg.

Unethical disgusting company that deserves to be kicked to the curb. Delete your facebook account now.

Anyone who knows me will hear me whine that no one takes IT Security seriously enough. The main reason is that there is no teeth in laws that cover breaches. That leads to organizations pinching pennies. Here is an article by Bruce Schneier that lays out the case. Will I stop whining — not yet.

Quote

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses. Infosec’s cool uncle says to hell with the carrot

Any sort of lasting security standard in IoT devices may only happen if governments start doling out stiff penalties.

So said author and computer security guru Bruce Schneier, who argued during a panel discussion at the Aspen Cyber Summit this week that without regulation, there is little hope the companies hooking their products up to the internet will implement proper security protections.

“Looking at every other industry, we don’t get security unless it is done by the government,” Schneier said.

“I challenge you to find an industry in the last 100 years that has improved security without being told [to do so] by the government.”

Schneier went on to point out that, as it stands, companies have little reason to implement safeguards into their products, while consumers aren’t interested in reading up about appliance vendors’ security policies.

“I don’t think it is going to be the market,” Schneier argued. “I don’t think people are going to say I’m going to choose my refrigerator based on the number of unwanted features that are in the device.”

Schneier is not alone in his assessment either. Fellow panellist Johnson & Johnson CISO Marene Allison noted that manufacturers have nothing akin to a bill of materials for their IP stacks, so even if customers want to know how their products and data are secured, they’re left in the dark.

“Most of the stuff out there, even as a security professional, I have to ask myself, what do they mean?” Allison said.

That isn’t to say that this is simply a matter of manufacturers being careless. Even if vendors want to do right by data security, a number of logistical hurdles will arise both short and long term.

Allison and Schneier agreed that simply trying to port over the data security policies and practices from the IT sector won’t work, thanks to the dramatically different time scales that both industrial and consumer IoT appliances tend to have.

“Manufacturers do not change all the IT out every five years,” Allison noted. “You are looking at a factory having a 25- to 45-year lifespan.”

Support will also be an issue for IoT appliances, many of which go decades between replacement.

“The lifespan for consumer goods is much more than our phones and computers, this is a very different way of maintaining lifecycle,” Schneier said.

“We have no way of maintaining consumer software for 40 years.”

Ultimately, addressing the IoT security question may need to be spearheaded by the government, but, as the panelists noted, any long-term solution will require a shift in culture and perception from manufacturers, retailers and consumers.