[pdkl95]

> why is IoT, as an idea, retarded?

The usual complaints about IoT as an excuse for surveillance capitalism aside, the key problem with IoT in most products is the (currently obscured) costs do not outweigh the (often novelty) benefits. By benefits I mean actual, significant time or effort savings that need to outweigh the large risks inherent to anything IoT.

> underlying platform for secured communication

That illustrates a big part of the problem. There is no such think as a "secure platform", because "Security is a process, not a product."[1]

The internet is and will always be an incredibly hostile place. If you plan on internetworking on the shared global network or anything that connects to it in any way, you need to plan on a way to maintain vigilance over the devices you created or are responsible for. This means continuous work into the future[2].

> I bet I could [...beneficial outcomes...]

You're only listing the positive side. To judge IoT properly also need to enumerate the known problems and possible risks. A few examples of the risk that most IoT devices bring are:

* The other end of the supposed "secure communication" being compromised by governments, criminals, disgruntled workers, etc.

* Bugs (everything has bugs) allowing assholes of the "swatting" persuasion messing with your power, food, etc "for the LULZ".

* All that data being logged - even when stored locally - becoming the target for discovery in a trial (maybe involving you, maybe not).

* The manufacturer of your IoT device selling data to your insurance company, or you insurance company requiring that data from you directly (e.g. fitbit data for "cheaper" insurance that now has more ways to deny you coverage).

That's just some obvious examples. The real problem is that after data is collected it tends to be permanent. Nobody has thought of the big risks of plugging your devices into a hostile network. You see the potential benefits of IoT devices, but you also need to consider what some black hat (or script kiddie) will do with all of those devices - and the data they collect - in 10+ years with a clever new exploit.

[1] https://www.schneier.com/essays/archives/2000/04/the_process...

[2] It might be possible to limit this with products that have a limited lifespan and are guaranteed leave the network.

[virmundi]

All the things you listed are things to be planned for. None of them are extremely terrible in and off themselves with the proper vigilance. Even the data logging should be solvable with reasonable laws.

Apply the general argument to personal computers. Anyone can attack your PC. Once pawned, they can get valuable information. Your IP could be wrongfully associated to a crime, which brings Jonny Law to your door. Given all of this, I still assume you see the idea of being connected via a PC as a good thing since you wrote a response via a browser.

My question was essentially, why dismiss something whole cloth? You raise valid things to consider, but I don't think that anyone of them is a death stroke to IoT. They are, at least in my opinion, design considerations for products that make sense.

[pdkl95]

> proper vigilance

You seriously expect the average person to have anything close to "proper vigilance" with a collection of IoT devices?

> reasonable laws

I'd absolutely love to see strong data protection laws passed, but that isn't likely in the near-ish future. Also, laws don't protect against bugs.

> All the things you listed are things to be planned for.

The worst problem in a new, unexplored area are the unknown/unexpected problems. You believe these data risks are minor - I strongly disagree - but how can you even begin to make that kind of judgment? Data persists and CVEs increase with time; how can you be certain that your data (which includes access credentials, e.g. ssl keys/certs, passwords) won't be stolen off some server (or your home devices) 20 years from now?

These are huge, unknown, open-ended risks that could suddenly become a problem at any point in the future.

> personal computers

The PC isn't tied to sensors around the house, with the ability to control various important hardware. The thermostat (nest) is an obvious example: it should be a trivial device, because simplicity is one of the better ways to guarantee reliability. Adding massive complexity and network access left a lot of people with a freezing house[1]. My PC isn't tied to important thing like the thermostat, because adding risk for effectively a nerd toy, social status symbol, and (allegedly) minor heating-bill benefits isn't a good trade-off, and it's terrible security.

The PC is a risk, but it can also serve as a place to contain the risk of being connected to a hostile network.

> why dismiss something whole cloth

I'm not: "...the key problem with IoT in most products is the ... costs do not outweigh the ... benefits."

Internet connectivity can work if the benefits sufficiently outweigh the cost of having to actually secure the device and remain vigilant and responsive to new security issues for the lifetime of the device. This is expensive, and approximately nobody is doing that right now. I also find it hard to believe that anything remotely similar to the current IoT toys on the market can ever be profitable enough to pay for their own security. There may be exceptions, of course, but they will be expensive (in some way) and rare.

[1] https://www.nytimes.com/2016/01/14/fashion/nest-thermostat-g...

[rochellle]

  ...products that have a limited lifespan and are 
  guaranteed leave the network.

So, perhaps, something like, say... a four year lifespan? And maybe they "get retired" if they fail to leave the network?

Maybe we could give them names like Roy, Zhora, Leon and Pris...

[pdkl95]

That's is more or less the model I intended. Specifically, I was referring to one of Dan Geer's extremely important recommendations in "Cybersecurity as Realpolitik"[1].

[1] https://www.youtube.com/watch?v=nT-TGvYOBpI ( http://geer.tinho.net/geer.blackhat.6viii14.txt )