This!
SO...this!
The only thing that matters is getting product to market so money can be made. So shortsighted it's mind boggling.
I'm telling everyone that anything labelled "IoT" is the devil incarnate.
It's easy to laugh-and-point at Samsung over its latest smart-thing disaster: after all, it should have already learned its lesson from the Smart TV debacle, right? Except, of course, that wherever you see “Smart Home”, “Internet of Things”, “cloud” and “connected” in the same press release, there's a security debacle coming. …
"I'm telling everyone that anything labelled "IoT" is the devil incarnate."
That's pretty much what I've been trying to do.
Unfortunately, though, I get the distinct impression that every time I tell someone something like that, they walk away thinking I'm a paranoid nutjob who probably has his walls lined with tinfoil.
wonderful statement Sir!
Add 'cloud' into the mix and 90% of the public will go glassy eyed.
Apart from a fe affictionados who really cares about the IOT? Is it more like the wrong answer to a question that hasn't been asked yet.
Anyway, on the day that the OED includes 'Beer-O-Clock' I'll raise my glass to you later.
Some people are trying to build IoT stuff for people like you:
Run all the core logic with a docker container running on your PC (NOT a damn phone) and firewalled by default so it can't be accessed by the outside world. Outbound notifications also off by default and, if enabled, take the form of ASCII text email and JPG attachments.
You can enable remote control if you want to, but there are warnings. NO "cloud" nonsense - unless you run your own AWS instances or something and then it's your problem.
Wireless is read only by default, C&C requires wired EtherNet or CANBus. You can enable encrypted wireless C&C if you want to, but you're warned again.
anon because I work on it
During last year and a bit of this year I was involved in developing a Bluetooth LE (aka BT4, BT Smart) device based on a single-chip BTLE solution from Nordic Semiconductors that runs the BT stack on a Coretex M0 micro.
Of course the chip comes with a board support package (BSP) + example code that is intended to show off how the chip works. The code has clear disclaimers saying that this is for demo purposes. Some of the demos are for remote controls, heart rate monitors etc etc... the sorts of IoT things that people are designing.
They also have a forum where people can discuss issue. That's where it gets scary...
From the forum is is plainly obvious that there are many people developing these devices for market who are just taking the for-demo-only examples, tweaking them a bit and then pouring them into products. Job done.
Some of the blame can possibly be placed on marketing and management. The engineer takes an example, tweaks it a bit and demos the desired product function and shows it to marketing. They get excited. Engineer then says the code needs to be rewritten properly and that will take 6 months. Engineer gets overruled - they want to go into production immediately.
But engineers must cop some of the blame too. Most of these frameworks and protocols are incredibly complex and very few engineers scratch below the surface. They like the idea of just taking a demo and tweaking it because that is the easy path. The really hard work is in taking ownership for full product function - not just the few lines of tweakery.
These low quality BSPs are a huge problem. They encourage people to generate shoddy products.
I suppose I should not complain too much. Fixing up the mess is what keeps me in gravy.
This post is following up on Mark Pesce’s report on kids using Raspberry Pi, obviously.
If the JVPESS could spend a couple of months under the tutelage of his neighbourhood BOFH, he'll be able to sort things out quite quickly.
Assuming he survives the encounter. Either way it's win-win; no more dealing with crap, he's either dead, or the tossers are.
I was at a project with a large and normally security-consious client. They asked for a facility to log in as if they were a specific user of their website, and after looking at each other we (developers) asked our project manager: "so, they want a back door?"
- no, you have to call it something else, back doors are not allowed
That might well come to be the situation.
Now if those new fangled bits of kit are connected to anything is another matter competely.
I connected my new TV to the internet for all on 30 minutes. Just long enough to get a software update. That's it. I might connect is periodically just to do the same but in normal operations?
forget is sunshine, it ain't gonna happen this side of the second coming.
"I connected my new TV to the internet for all on 30 minutes. Just long enough to get a software update. That's it. I might connect is periodically just to do the same but in normal operations?
forget is sunshine, it ain't gonna happen this side of the second coming."
The problem is that a lot of this IoT shite is going to have wireless networking built in, and let's face it vendors are always finding new ways for software to phone home without asking the user first. Not sure what can be done about that aside from physically taking it apart and connecting any aerials you can find to 0v... Still no guarantee you'd find them all of course. :P
"nah, mobile data: it will bypass any of the owners (and/or neighbours) wifi restrictions."
That's why I was careful to say "wireless networking" rather than WiFi and suggest sabotaging their aerials rather than trying to convert one's home into a Faraday cage. :)
Mobile data, requires a cell phone. Or at least a data stick that pretends to be a cell phone.
And a monthly contract with the local provider. Who's gonna want money every month.
How is that gonna work ? They gonna charge you a monthly rate for your Telivision ? Forget that !
You forget Whispernets, a la the original Kindle. The TV makers can have contracts with cell phone companies to bum some data on occasion off them, allowing the devices to sip from mobile networks without needing an additional device.
Plus they can make the devices such that if you try to sabotage the antenna, you break the device altogether...oh, and void the warranty. And since they have to plug into mains, they can probably use it as an antenna, so good luck trying to shield it with a Faraday cage.
Speaking as someone who's been there, this doesn't ring true. In my experience the idea that the secure version briefly exists on paper is not realistic, as there's usually at least one 'essential requirement' (which might well be the entire point of the product) that can't be made secure without obviously violating the laws of physics.
In my current gig it's even worse. Security features are cut for no other reason than budget. Risk management doesn't use the idea of exposure (probability x impact), nor do they bother with contingency (because "we've always done it this way"). These guys do checklist security (SSL? firewall? You're good, bro.) There's this glee when big names get hacked, which is ironic because their own approach is based entirely on the "it won't happen to us" thinking.
Just goes to prove that in many organisations Bullshit Baffles Brains. Of course the simple way to fix this is to make the 'designers' and C<insert letter here>O's personally liable for any loss suffered by their customers.
I'm just off to have a flying pig bacon butty, washed down by a Unicorn milk latte. (Well it's more beleivable)
Heh... Depends on the company. I've known businesses where you ran this sort of bullshit past their CxO crowd, they'd politely tell the player in question to GFY. I know, if it wasn't myself, it was the CEO doing it. So damn much snake oil, bullshit, and just stupid notions out there.
Ah, but part of the REAL real job of being C@O is to be able to reassign blame. That's why you got up there in the first place. And if a law threatens to pin blame onto you, you bribe a lawmaker to help defeat it, and if all else fails, threaten to move to a more lenient location.
Fuck..... I thought you were being sarcastic with remote control deadbolts....
WTF thought that was a good idea? The whole point in a dead-bolt is you can only unlock them from the side you can physically access them from. If you're going to be able to open from the otherside, might as well just use a key-lock.........
This post has been deleted by its author
Of course, the only reason any of these devices needs to talk to the wider internet directly is because someone out there wants to make money from it. If I've got a home security system, smart Fridge, alarm clock, whatever, I want all the information gathered by these devices to stay within my network, talking to a server under my control within that network. If I want remote access then I'll do it by implementing an ssh tunnel or VPN from the remote device and minimise both the attack surface and the leakage of personal information to third parties.
Exactly: Almost nobody cares. Technology requires comprehension, which is too difficult for execuTards. Therefore, stupid reigns. And You Can't Stop Stupid.
This is CLASSIC technology project management HELL. The only way to get things done correctly, very sad to say, is to go TYPE A on everyone and become a Napoleon. That works great in the short term, as long as Napoleon knows exactly what he's talking about AND has people around him who know all the critical details he couldn't possibly keep in his single sized human brain.
Again world: Technology requires COMPREHENSION. You can't skim through it and survive. You will be metaphorically killed if you go slacker on the job. PAY the experts for their expertise and FOLLOW their expertise to that finish line called SUCCESS.
Again, for the uninitiated, The Problem Solving Protocol:
1) IDENTIFY the problem.
2) CREATE a solution.
3) ENACT the solution.
4) VERIFY the solution worked.
- AND - My own addition -
5) Keep the marketing people OUT of The Problem Solving Protocol, except as sources of marketing information and advice. NEVER allow them to be in decision positions. If you do, you're gonna have a bad time and so are your customers. Marketing-As-Management is a prime business project KILLER.
Are you reading me Samsung, Sony, Microsoft, News Corp, Comcast, Google, Oracle, Qualcomm, General Electric...?
I know Apple understands, another reason why I <3 Apple.
"5) Keep the marketing people OUT of The Problem Solving Protocol, except as sources of marketing information and advice. NEVER allow them to be in decision positions. If you do, you're gonna have a bad time and so are your customers. Marketing-As-Management is a prime business project KILLER."
Well, how do you do that when Marketing stands over you AND has a direct line to the investors?
Once while working for a Colossal Internet System Component Operation, I happened to run into the CSO (some12 layers above me in the Org-chart) and mentioned that I had been syrprised to see a particularly bad bit of mandated security procedure. His reply "I know, but it's not my call". What part of 'C', 'S', or 'O' was being misinterpreted?
Of course, I got there by being acqui-hired from a startup where the *nix boxes were all pretty locked down, except for this management-mandated requirement that any Windows user could mount any *nix hosted filesystem as any user they wished (selected from a convenient drop-down menu). Because we cannot have people who wear suits more expensive than my car, or the folks who bring them coffee, need to remember their own usernames.
How does IoT work ...
When I refuse to give anything the pass code to my router ?
Are they hitch hiking on my neibours unsecure router ? The one with the terrible down load speeds because everyone is downloading movies and leaving the blame to him ?
Does it have a built in cell phone to phone home periodically ? Doesn't that add substantially to the price ?
Is it going to demand to be plugged into my network ? Because not only am I NOT going to plug it in , but if I see "Internet connection required" on the box I aint buying it in the first place.
How , exactly does Iot Work ? How does it phone home ?