Abusing the Internet of Things
Probably a good time to remind people to look over this before jumping in head first:
http://www.amazon.co.uk/Abusing-Internet-Things-Blackouts-Freakouts/dp/1491902337
When the boss comes and asks you if you're ready to do something with the Internet of Things thing she or he read about in an airline magazine, prepare to give them a very, very long list of things you'll need to do in order to get ready for the magical new world of measuring everything everywhere all the time. Next, prepare …
Probably a good time to remind people to look over this before jumping in head first:
http://www.amazon.co.uk/Abusing-Internet-Things-Blackouts-Freakouts/dp/1491902337
"How was the code developed?"
Some months ago I was involved in the development of a Bluetooth LE device (loosely part of the IoT).
From the discussions on the developer's forum it was clear that there are many products being developed out there that are basically just slight modifications of the demo code with little thought about proper development practices, security, whatever.
I bet if you go look at the code base of much of the IoT code out there you'll find it still has demo code in it with the typical disclaimer of "This code is supplied for demonstration purposes only and is not intended to be used for production software".
Making a BT device (or similar) is pretty complicated, so it is no wonder people will use the shortest line between two points and just modify demo code.
Auditing code is even harder and I bet that's not happening either.
This is exactly the same scenario that led to SQL injection attacks. This sort of thing will never change unfortunately because there is a massive skill discrepancy between those creating the technology and the hordes needed to implement it a million times.
One answer might be to go the extra mile on demo code so that it's secure, but then would people actually understand it enough to develop products?
Have an upvote! I've never looked at it that way, but you are spot on: Colossus wasn't just a souped up adding machine, it was IoT with nukes. (Hey, I like the ring of that. IoT with nukes!).
Apart from that, one point in Geschickter's presentation has been on my mind as well lately:
"He recommended basing that effort on a network operations centre, only one tuned to handle high volumes of data coming over diverse connections.
If every fridge and toaster and god knows what else connects to "the net" it will generate a huge amount of traffic. Throw in the traffic that is generated by running and storing everything in "the cloud" - how long until the infrastructure can't keep up? Will the next big economic crisis triggered by congested pipes? Where is the tipping point? Who will pay for upgrading the existing physical connections?
I decided the IoT would never have a place in my house the moment I read this Reg article about smart light bulbs and how the company selling them was climbing on the rentism/ransom business model for $10 a month.
So, three reasons why IoT will never be allowed in any house I live in:
1. Security risks of being hacked and having everything in my house turned against me.
2. Being nickel-and-dimed into bankruptcy by 350 different Ransom-as-a-Service subscriptions required every month just to keep everything going.
3. The inevitable spying, monitoring and profiling for the purposes of everything from exploitative advertising to being put on pre-crime watchlists that will go with it.
Fuck that shit and the bastards' backs it rode in on.
> climbing on the rentism/ransom business model for $10 a month.
Exactly. Businesses are trying to make 'home automation' into a business model, a rental model, and are alienating those that may otherwise use the products.
There are already many useful things in the home: thermostats, motion detection, fire alarms, video recorders, CCTV monitors, remote garage door openers. The cost of having these connected to a central home system is getting much less. The problem is that a home system doesn't make much continuing revenue for businesses.
If I were to connect up things in my home I would do it only to a local server. Access from outside would only be through my own gateway with web access, SMS or emails. There is zero need to use some IoT service just to turn your lights on, even if you want to do it from your phone.