The Puchi Herald Reblog

A reblogging blog

Happy new insecure 2017: my resolutions and wishlist for new year

Happy new insecure 2017: my resolutions and wishlist for new year

Here we are, a new year comes and we, as cyber security expert, will keep warning the world about the deeply insecure world we are living.

And we will announce new technologies and new devastating scenarios related to new technologies. IoT and Cloud will rise their evil face while bad people will be lurking in the dark waiting to attack the innocent lamb crossing the road.

But, in all of this, the most of the damage will be still done by bad designed systems, by managers that does not understand what means living in a digital world, by politicians that understand cyber security issues only when they have something to gain, by entrepreneurs that still will invest in security as a disturbing side effect.

If I can make a wish for the new year is to see finally a different approach to information security, an approach that take into account that

1) to be secure you need well designed systems first and then cover it with some security geek technologies. If the design is crap all your security is crap no matter what you use on top

2) there is not security if your devices are not designed with security in mind, good code and code lifecycle is the best insurance, so if you buy the cheapest then do not cry … is your job to look for what you need and so yes is your fault if something goes wrong.

3) that finally companies, managers, entrepreneurs understand that security is within process, and not just a bunch of technologies put on top of something that you do not have the slightest idea what it is, you can’t protect what you don’t understand

4) that if people do not understand then people will not follow even the most basic rules, so training is not an optional, but the very basic. And to be sure the first that have to learn are the “CxO” which should get off the throne and start learning the world they crafted.

5) that if we keep thinking that IoT is wonderful but do not understand what IoT will bring in terms of cultural and technical problem we still will never understand what means putting security on this.

6) that if you hire an expert and then you don’t listen to himher then you are wasting hisher and your time. then do not blame the messenger.

7) that if you think that this complex field we call security can be covered by a junior that knows it all you are probably wrong unless the junior is a genious

8) that if you, security expert, think your counterpart has the slightest idea what you are talking about, you are probably wrong because you did not realize they do not understand what they does not know.

9) that all of this is part of the business, and therefore the business should took all this as one of its element, and not just a nasty annoying add on.

10) that next time someone talk about APT tells you the truth, the only way to stop an APT is to stop the attacker otherwise…. it would not be an APT

I know I know I am a but naive and still believe in fairy tales…

 

happy safe and secure 2017 to you all

security awarenesssecuritysecurity culture2017

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Happy new insecure 2017: my resolutions and wishlist for new year was originally published on The Puchi Herald Magazine

Cryptography, keeping on the big lie

Cryptography, keeping on the big lie

So Cryptography would be a National Security Issue?

th (1)I’m tired to be polite and politically correct when talking about encryption. Let us be clear and honest, all those crypto_war is a pile of crap. Every time I heard someone claiming that we should not enforce strong cryptography I wonder: to they have the slightest idea what they are talking about? Probably not, considering also most of the objections against cryptography I heard.

Listening to those “enlighten” minds it seems that without cryptography the world be a sort of heaven where intelligence could have the possibility to solve any criminal case. And it seems that cryptography is used only by the ones who want to act against the laws and the public safety. Well may be would worth for them, and us all, to do a reality check.

Encryption and weapons

encryption-100621667-primary.idgeEncryption is always associated with military technology. The Wassenaar agreement (http://www.wassenaar.org/)  stated what should be considered and not a “sensitive” or military technology. Encryption is in that agreement.

So for someone encryption is a weapon.

encryption has been always used in war context, as well when there were political sensitive issues. Beside the modern math behind encryption, the tools or techniques to hide or make not intelligible a message are old as war and therefore old as humanity.

It seems that the more advance the technology is, the more advance is the need to consider this as a weapon. It is a long story, from traces in Old Egypt Kingdom (1900 BC) to the Caesar Cipher history is plagued by examples of cipher and cryptography more or less successful attempts (it is successful if you do not decrypt the message, of course).

But let us be clear, modern encryption, from Turing to Diffie-Hellman-Merkle is basically math, and math is math. I am sorry but considering math as a military weapon is like considering a hammer a weapon. Can’t be a hammer used to kill someone? yes and directly. Can be math used for the same purpose? wait no … unless the math book is really heavy.

Alas nowadays the math can be implemented into technology, and therefore it is accessible also to the ones that does not have a cryptography degree. But technically speaking, since math is math, anyone could develope a mathematical model to implement cryptography, this would make himher a weapon maker? Actually for some people yes (see all the PGP affair).

Apparently the issue here is the democratization of encryption as something everyone can have access to (bad and good guys) more or less as knifes and hammers and (in some countries) weapons.

Modern technology allow us to implement strong encryption environments, but at the same time rise up the level of “unwanted” decryption capabilities, the faster  our computers are, the more encryption need to go deeper (longer keys, better algorithms…) to be effective. But this is the world we are living.

It is out of doubt that encryption can be used in a war-like scenario, and that can protect communication and sensitive data, but at the same time is clear that those are implementations of something that is of public domain (alas a big defect related to science). You can block the export of those technologies, but can’t avoid a good mathematician design a decent algorithm that supersede your limitation, and some decent coder to implement it.

As a limitation, per se, is not so smart at the end, unless you think you are the only one able to do those things.

Encryption and criminality

th (3)If encryption can be used to protect valuable military information and communication, can be also used by criminals. No question about it. But again we are talking about something that is public domain (math, you know) and encryption, cryptography, communication masquerading have been out there since…ever.

Targeting one tool just would shift the criminals to another tool. Once you make possible to decrypt the internal IPhone infrastructure you think criminal would rely on it? (if ever).

Most of the communication is passed in clear, talking or writing, or sending videos. But at the same time those communication can contain hidden messages even without encryption. As in a baseball game when non formal communication is given between pitcher and catcher on which ball will be the next to be launched, hiding the content of a message disguising it with another is something common. And this does not require encryption and can be as effective as the previous one.

Actually this is the most used vehicle of communication when you want to send a “secret” message or store info. Encryption is just one of the tools that can be used by criminals.

Encryption and intelligence

th (4)So it seems that, anyway, without encryption intelligence work is not possible? this is quite a curious statement mostly because it comes out, mostly, from the same people that declare to collect only “metadata”.

So basically they do mass surveillance (regardless it is legal or not in other countries) to collect only “metadata” but the same are useless against terrorism and criminality? That does not make any sense to me.

It is like the old good intelligence of old times now is useless and we rely only on decryption of messages.

So let us be clear on this. Metadata can gives us a lot of information on a communication transaction and, sometimes, it is all you need if you are doing your intelligence work with intelligence (nice joke,isn’t it? lol)

If you have two suspects, and those ar starting to exchange encrypted messages, well, you have good reason to make your surveillance more stronger.

But if you do not have suspects? well the answer is decrypt all messages from anyone and look inside the content to find out if this is terrorist related.

Is this effective? may be, I do not question it, is this respectful of privacy? no it is not. Would be like preventing criminality bringing everyone in front of a court, I mean every citizen, may be at the end you will find even some criminal, but the most will be innocent people brought in front of a court.

So all the point here is that withouth intelligence opening a Pandora box with bad encryption (as the export grade restrictions that are sill harming our digital world) is, at least, questionable.

Can this makes law enforcement and defence agencies work more hard? yes and not. If this crypto-war is made to cover inefficiency in the intelligence capabilities of those agencies is for sure a problem.

Unless the point is to substanciate that only mass surveillance activity can save us all. But it is funny, mass murdered killers post their statements on Facebook (in clear) and we does not notice it, and at the same time we keep talking about encryption?

It is just me that sees a odd situation or ….

Encryption and the internet

th (5)We all know what HTTPS is, or we should, at least. We all know what TLS/SSL is, or we should at least. We all know what PKI is, or we should at least.

Internet technology rely heavily on encryption, since encryption  is one of the basic pillar of: security; authentication; authorization  and non repudiation technologies. Withouth encryption all those mentioned things could not be effective on the internet where there is not a direct and visible contact between the counterparts.

A system is as secure as its weakest component, therefore weakening encryption is damaging all the internet.

Let’s be clear again, encryption is not the only answer. When me make a VPN (HTTPS, SSL, TLS, IPsec…) we are fairly sure that what we put at the beginning of the transmission pipe is what will arrive at the end of the pipe. But encryption can do a little on the content of the transmission itself, so if we put manure at one side of the pipe we will receive manure at the other side, this is why encryption is just one of the needed technology to be implemented.

But I do not think anyone doubt that without encryption most, if not all, the achievement of modern internet economy would have not been possible, or you would like to pass your credit card data in plain text? (well actually is what you do when someone swipe your card on a card reader, but this is another story.)

Encryption and privacy

One of the most important encryption value, those days, is to preserve privacy and intellectual property. With the expanding exposure of our life to the digital world, and the promise of the IoT (Internet of Terror–sorry , my mistake, Internet of Things) encryption is becoming, day by day, the tool to preserve our privacy.

Basically one time we would have counted on the privacy of our walls, and till we do. But our world has expanded dramatically, and will expand way more in the future.

Being entitled to some privacy is a right, and in some countries (as EU) it is considered one of the  fundamental human rights. Alas in the digital world only encryption can take the job of our walls. Weakening encryption means make your home with transparent walls. May be you like it may be not. But I wonder why this glass house concept has never been presented as a mandatory security tool from enforcement agencies.

This will make easier to look for fugitives, stolen merchandize, drugs and so on…

Encryption and “backdoors”

th (6)This is only for this phone.. yea right…

“I am sorry, I swear I’ll never do it again..”, ow many time parents have listen those words from kids? We do not believe them, of course, we know they will do it again untill the lesson will be learned.

I seems that the same approach does not work with grownups. They do not learn even in front of evidence.

The point it seems not to be understood by some people is that there is not only one owner of knowledge outside there. I tries to explain before that modern encryption is based on math, and math is public domain stuffs. This means basically that anyone with enough knowledge can work to build or harm encryption systems.

When you plan to put a “backdoor” (or better weaken the way a key is generated, to make it guessable) to access some data, it is just a matter of time that someone else will find the weakness. Only an idiot can think heshe is the only owner of those kind of technologies.

Chryptologists and security experts worldwide think the same, recent examples of vulnerabilities related to “export grade encryption crap technology” prove this point, but this seems not clear yet to someone.

Like climate change issues (and why not, creationism), political believes are incredibly blind to simple facts: it will not work.

It is not that security experts and cryptologists does not care about security, or does not care about terrorism and criminality. On the contrary, they care a lot. But they are forced to have a vision that is not shortsighted by contingency. If you do it today someone else will do it tomorrow, it is simple as at. There is no way to stop researchers to look for vulnerability; they can be good or bad, they can be trustful or not, but they will do it, you like it or not.

Encryption and trust

But the question on encryption is way more deeper and complicated. There is a problem every time you make a system weaker: you lose trust and create a precedent.

As in San Bernardino case, there is no way to guarantee someone else will not ask to access another phone, and another and so on.

Beside this, it is clear that once you do this for one phone, you will be forced to do this for other phones. And then there is the cloud and IoT there waiting for those requests.

We should face two issues:

  1. encryption is something used to preserve data confidentiality, integrity and transmission. How can you trust a system that is openly weak?
  2. how can we trust the controller?

I tried to clearly express my view on point one before, if you weak a part you weak it all. Basically it makes the whole system untrastable, and since we states trust is the paramount for security, weaken it will simply shift the use on other tools. It will not a problem for terrorist to use self made encryption tools, that may be make the message look as a plain text …

But I would like to focus on the second point.

Can I, as european, trust a system that can be penetrated by USA intelligence without my knowledge? I am not talking just form a personal perspective, but also from a government one.

The answer is obviously no. even if we are ally. And the reason is in documents and facts that show how even allies have their skeletons. Snowden (and some other reports before him actually) just make public somethings we were all aware of, but just too focused on denial to take position.

We live in an interconnected world, and we can not think what we do is without consequences on global scale. sure we can choose to not care, or not talk about it, but consequences will be hitting us we like it or not.

Once a nation ask for a weaken encryption for “security” reason, there is no guarantee it will not use it also for other purposes. This means that export grade restrictions, now that the world care and is aware of the problem, or “backdoors” and similar things will rise up a similar answer from the other countries. It is quite amusing to notice that what is a “security matter” for a country can be perceived as a violation from another. Of course we are the good ones, God is with us (Jeez this remember me something, may be in another language) therefore they are the bed guys, isn’t it? So we can be trusted they can’t…or may be we can not trust anyone and so consider the encryption a defence tool from anyone?

I know a balance is hard to be found between privacy and security, but if trust is mined you just will not have more security, because bed guys always knows how t protect their stuffs.

Encryption and business

th (7)So, would you buy, or trust for what it matter, something with a clipper chip on it? Seriously? If you do not care about security and privacy probably yes, if you care obviously not.

So vendors, technology and services provider should hae to make a double offer: with weakened security or not. May be offering hard discount for the weakened security version of the product. I can Imagine the motto:

“Be insecure for your security”

 

 

 

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Cryptography, keeping on the big lie was originally published on The Puchi Herald Magazine

The IoT Files: The need for cryptography

The IoT Files: The need for cryptography

The IoT Files: The need for cryptography

AAEAAQAAAAAAAASVAAAAJDM3NzViYTkwLWM3NmEtNDAzZC1iNDczLTU0NTJjZWI1ZTZiMw

One of the main arguments that should be touched by IoT discussion is cryptography. There is an undisputed consensus that cryptography is a mandatory requirement to preserve security and privacy in the IoT world, but we are far away for a general consensus on how to operate.

The need for cryptography in IoT comes from two main aspects:

The first need is clear; encryption is a mandatory requirement when we want to implement any form of authentication and non repudiation. Encryption is widely used even if we don’t know we are using it. PKI, sign in certificates are just some example.

Whenever we want to transmit something, encryption comes in hand to be sure what we transmit is not seen by 3rd party and not tampered.

Whenever we store something encryption comes handy when we need to preserve the access to those data, even at a local level.

Regarding Data privacy, it is a way more strong call for encryption, a wide use of it. As a system IoT allow a multitude of devices to exchange data that can become sensitive and private. Without a clear understanding of this point there can be misinterpretation. In IoT the amount of data and metadata will be way bigger than the already impressive amount of data we deliver on the wild nowadays. So basically a more cautious approach to data privacy will be needed and embedded into the very essence of IoT, therefore encryption will be a mandatory requirement.

But encryption is not an easy area, and I am not talking about implementation (which can e easily achieved) but for the need and use of this technology.

A little check on the actual status

Cryptography is not only a technical or business argument (cost vs performance vs security) but, mainly, a political issue.

The history of cryptography has been doomed by constant attempts to block, or control, the use of good secure cryptography tools in the civil environment. It is not a mystery nowadays we have a lot of discussion upon cryptography and backdoors (although the term “backdoors” is misleading and misused most of the time).

The USA has, as an example, a good and long history fighting against civil cryptographic tools both in the past, may be someone remember the PGP affair, and in nowadays events, think of apple case as a clear example.

Every time we lower the level of security for some reason, we have to expect sooner or later someone else will leverage and use it for purpose not intended by the regulator. Recent history is full of those examples; some of the actions performed against cryptographic tools are on the news every day. We tend to call them vulnerability (SSLTLS vulnerability like freak  …) but let us be clear on what they actually are: the consequences of export grade restriction on cryptography.

There are a lot of laws and regulation related to the use, import and export of cryptography, here some examples:

This section gives a very brief description of the cryptographic policies in twelve countries. We emphasize that the laws and regulations are continuously changing, and the information given here is not necessarily complete or accurate. For example, export regulations in several countries are likely to change in the near future in accordance with the new U.S. policy. Moreover, some countries might have different policies for tangible and intangible products; intangible products are products that can be downloaded from the Internet. Please consult with export agencies or legal firms with multi-national experience in order to comply with all applicable regulations.

Australia

The Australian government has been criticized for its lack of coordination in establishing a policy concerning export, import, and domestic use of cryptographic products. Recent clarifications state that there are no restrictions on import and domestic use, but that export is controlled by the Department of Defense in accordance with the Wassenaar Arrangement.

Brazil

While there are no restrictions of any kind today, there are proposals for a new law requiring users to register their products. Brazil is not part of the Wassenaar Arrangement.

Canada

There are no restrictions on import and domestic use of encryption products in Canada today . The Canadian export policy is in accordance with the policies of countries such as United States, United Kingdom, and Australia in the sense that Canada’s Communications Security Establishment (CSE) cooperates with the corresponding authorities in the mentioned countries.

China

China is one of the countries with the strongest restrictions on cryptography; a license is required for export, import, or domestic use of any cryptography product. There are several restrictions on export regulations, and China is not participating in the Wassenaar Arrangement.

The European Union

The European Union strongly supports the legal use of cryptography and is at the forefront of counteracting restrictions on cryptography as well as key escrow and recovery schemes. While this policy is heavily encouraged by Germany, there are a variety of more restrictive policies among the other member states.

France

France used to have strong restrictions on import and domestic use of encryption products, but the most substantial restrictions were abolished in early 1999. Export regulations are pursuant to the Wassenaar Arrangement and controlled by Service Central de la Sécurité des Systèmes d’Information (SCSSI).

Germany

There are no restrictions on the import or use of any encryption software or hardware. Furthermore, the restrictions on export regulations were removed in June 1999.

Italy

While unhindered use of cryptography is supported by the Italian authorities, there have been proposals for cryptography controls. There are no import restrictions, but export is controlled in accordance with the Wassenaar Arrangement by the Ministry of Foreign Trade.

United Kingdom

The policy of United Kingdom is similar to that of Italy, but with even more outspoken proposals for new domestic cryptography controls. Export is controlled by the Department of Trade and Industry.

Israel

Domestic use, export, and import of cryptographic products are tightly controlled in Israel. There have been proposals for slight relaxations of the regulations, but only for cryptographic products used for authentication purposes.

Japan

There are no restrictions on the import or use of encryption products. Export is controlled in accordance with the Wassenaar Arrangement by the Security Export Control Division of the Ministry of International Trade and Industry.

Russia

The Russian policy is similar to the policies of China and Israel with licenses required for import and domestic use of encryption products. Unlike those countries, however, Russia is a participant of the Wassenaar Arrangement. Export of cryptographic products from Russia generally requires a license.

South Africa

There are no restrictions on the domestic use of cryptography, but import of cryptographic products requires a valid permit from the Armaments Control Division. Export is controlled by the Department of Defense Armaments Development and Protection. South Africa does not participate in the Wassenaar Arrangement.

 

In the table below, 75 countries have been divided into five categories according to their cryptographic policies as of 1999. Category 1 includes countries with a policy allowing for unrestricted use of cryptography, while category 5 consists of countries where cryptography is tightly controlled. The table and most other facts in this answer are collected from [EPIC99], which includes extensive lists of references. Countries with their names in italics are participants in the Wassenaar Arrangement .

 

1 Canada, Chile, Croatia, Cyprus, Dominica, Estonia, Germany, Iceland, Indonesia, Ireland, Kuwait, Kyrgyzstan, Latvia, Lebanon, Lithuania, Mexico, Morocco, Papua New Guinea, Philippines, Slovenia, Sri Lanka, Switzerland, Tanzania, Tonga, Uganda, United Arab Emirates.
2 Argentina, Armenia, AustraliaAustriaBelgium, Brazil, BulgariaCzech RepublicDenmarkFinlandFranceGreece,HungaryItalyJapan, Kenya, South KoreaLuxembourgNetherlandsNew ZeelandNorwayPolandPortugalRomania, South Africa, Sweden, Taiwan, TurkeyUkraine, Uruguay.
3 Hong Kong, Malaysia, SlovakiaSpainUnited KingdomUnited States.
4 India, Israel, Saudi Arabia.
5 Belarus, China, Kazakhstan, Mongolia, Pakistan, Russia, Singapore, Tunisia, Venezuela, Vietnam.

NOTE: WHAT IS THE WASSENAAR ARRANGEMENT?

The Wassenaar Arrangement (WA) was founded in 1996 by a group of 33 countries including United States, Russia, Japan, Australia, and the members of the European Union. Its purpose is to control exports of conventional weapons and sensitive dual-use technology, which includes cryptographic products; “dual-use” means that a product can be used for both commercial and military purposes. The Wassenaar Arrangement controls do not apply to so-called intangible products, which include downloads from the Internet.

WA is the successor of the former Coordinating Committee on Multilateral Export Controls (COCOM), which placed export restrictions to communist countries. It should be emphasized that WA is not a treaty or a law; the WA Control lists are merely guidelines and recommendations, and each participating state may adjust its export policy through new regulations. Indeed, there are substantial differences between the export regulation policies of the participating countries.

As of the latest revision in December 1999, WA controls encryption and key management products where the security is based on one or several of the following:

A symmetric algorithm with a key size exceeding 56 bits.

Factorization of an integer of size exceeding 512 bits.

Computation of discrete logarithms in a multiplicative group of a field of size is excess of 512 bits.

Computation of discrete logarithms in a group that is not part of a field, where the size of the group exceeds 112 bits.

Other products, including products based on single-DES, are decontrolled. For more information on the Wassenaar Arrangement, see http://www.wassenaar.org/.

Why IoT needs cryptography and where?

IoT, as a general concept, refers to a multitude of object that can access to the Internet.

The need to access the internet is related to several aspects: need to exchange data, receive command, and export outputs…

Of course there are different needs and different grade of privacy and security required accordingly to the nature of the object we are talking about: it is not the same thing to talk about an infotainment car system, an autonomous driving system or a GPS, as well is different when we talk about a refrigerator or a SCADA controller in a nuclear plant.

But, no matter what the device is and its role, some assumptions are common to all IoT objects:

  • They have to deal with sensors
  • They have to deal with data
  • They have security and privacy implications
  • They have to store data
  • They have to transmit data
  • They have to received data

The first point is important in the encryption discussion because sensors can retrieve information that can give indication to an expert eye to a lot of things outside the realm of the IoT object.

Data are of course the main reason to implement encryption.

Security and privacy implication are the obvious case study for encryption.

The last three points are where encryption should, at least, be implemented.

One of the common mistakes related to IoT security consideration is to focus on a specific aspectdevice and not see the big picture.

Looking at a specific device is good for implementation, but not good to understand security and data privacy issues. What can seems trivial in an object assume a different role in a context, and IoT is all about context.

So the idea is that even if some data can seem harmful, they can assume a different value if merged with other data.

Cryptography role, in this context, is to prevent those data to be used for not authorized and not wanted activities. But cryptography is also one of the basic tools needed to allow data integrity and non repudiation.

Cryptography, of course, is not the panacea of very problem, but it is one of the tools to be used when we transmit and store data in order to preserve and save information.

Data transmission

When we have to transmit or receive data, no matter if commands, processed outputs or raw data, we should be confident that our data:

  • Comes from a trusted and authorized source
  • The data has not been manipulated during the transport (Data injections, data forgering…)
  • Data are protected by unauthorized access (data sniffing…)
  • The data are consistent with the requests

Encryption can play its role mainly in the second point, although encryption is also used for authentication and authorization aspects.

Encrypting a transmission allow the data to pass from a point A to a point B without third party can read it preventing exfiltration of data. And since the key provide a basic level of authentication a data encryption can provide also some defense against injections of unwanted data.

The downside of encryption is related to two aspects: solidity of the encryption and key exchange.

Those aspects are not trivial, a 40 symmetrical encryption key can be easily forced by modern computer systems (see as an example the “Bar mitzvah attack” on ssltls protocols), therefore a 40 bit encryption (see freak lesson) is a clear security hole.

On the other end even a longer encryption key is useless if the key is discovered.

Processor time and resources

The longer the key the more the encryption will take in terms of time and resources. Encryption chipset are, usually, the answer to solve this aspect, while they can do a little on key exchange.

The argumentation against a wide use of long keys in encryption (256 bit) are, in reality, more related to political or costs constrain than to technical ones. And even costs are just partially a problem, scaling the production would make those chips inexpensive.

Of course software encryption is a more economic (but, may be, less secure) way to address the question on IoT.

All the point is to understand how much we can invest in this IoT device in terms of resources.

Another point to take care of is the overload that encryption gives on network package. Usually a encryption protocol brings some overload to the transmission due to bigger packets (although the use of compression can reduce it) and the key exchange process which can require several exchanges.

The key exchange issue

The other issue is the key exchange. To make encryption (symmetrical or asymmetrical) you need to exchange the key with your partner in communication.

The key can be

  • Static
  • Dynamic

A static key is easy to be implemented and can be hardened in the solution. The problem with static keys is that they can be good for storage issues but not good for data transmission. Once the key has been discovered all the security has gone

Dynamic keys are a more secure solution, a lot of protocols rely on dynamic keys for data exchange, take as an example, SSLTLS yet implementation needs to be careful in order to avoid the same level of problem discovered on the aforementioned protocols.

One problem is related on how to create your key, a weak protocol can create some predictable keys that can be easily guessed, and this is one of the typical requests of export grade encryption.

Also rely on PKI infrastructure is not, per se, a secure solution. PKI keys can be stolen andor forged.

Data storage

Data should be preserved when we are transmitting but also when we store them

It seems trivial but data storage is not as simple as it seems in IoT. We can have different kinds of data: permanent, semi permanent and volatile.

Let us assume that volatile data are those used at the moment and then destroyed, we should focus on the permanent or semi permanent ones.

Again this is a generalization, and specific implementation can differs, but generally speaking permanent data stored needs, as first instance, a storage area.

This area can be local or remote (the cloud), accordingly to the data needs.

Apparently the more secure solution would be storing data locally in the device. This is a simplistic approach since the security of the data stored in a devices are strictly related on how secure is the access to the device, which is not clear.

If the device is not able to set up a proper authentication and authorization mechanism to internal resources (this is way a more extensive need than locking the door from outside visitors) data stored locally need to be protected from external intrusion.

Encryption is, of course, one of the technology sounds to be implemented. As for data transfer here we can name the same arguments for key length we discussed before. Another important aspect here is the ability, of the system, to wipe out physical data moved from the storage area in order to prevent sophisticated data exfiltration techniques.

Again the problem here is how to deal with the Key to encrypt and decrypt data. This is the scenario we saw on the Apple vs St. Bernardino’s FBI case to refer to current episodes.

What IoT need

For a security standpoint it is no doubt that a strong encryption approach should be necessary for IoT, there are no real justification, from a technical and economical point of views, against this implementation.

The problem comes from the political approach related to encryption. Encryption lives in a dual identity status as a civil technology and a military one. Recent geo political issues (cyber terrorism and terrorism) have fueled the discussion against encryption potentially harms future implementation with “backdoors” style design (insecurity by design).

Without a common agreement on encryption we can face 2 different scenarios:

One scenario sees a short key length implementation, with practically no security advance beside marketing statements.

Another scenario sees an IoT divided into regions where encryption is or not allowed, making for you not possible to go in specific countries because of the technology implemented in your cardiac stimulator (I assume you can leave your phone and watch at home using an allowed device).

Of course both are not what IoT is claimed to be.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

The IoT Files: The need for cryptography was originally published on The Puchi Herald Magazine

Historical memory, what is this about?

Historical memory, what is this about?

I wrote on memories yesterday.

Personal memories and historical memories are the blocks of our life. We live for our memories since, at the end, are memories that create our thinking, our background, our experience, our knowledge.

Personal memories are something ease to understand, is what we directly lived through direct experience. but those memories are just a portion of the memories we have and have to deal with.

Another great portion of our memories is build into the society we are living, shaped trough communication (media, arts, word of mouth, storytelling), school and other tools.

Some of those memories are related to the cultural heritage, some are related to the moment we are living, some are just simply lies.

Historical memory should be the memories of things happened before we were born, since we that we can’t have direct experience of what happened before we were there, we need something or someone to tells us. Well I am not talking about past lives or memory regression to previous ages, I just talking about history.

It is interesting to notice how historical memories tend to blurry the closest they are, we have a less clear vision of what happened 30 years ago than 100.

The main reason is that recent history is doomed by its political influence in current life, and so it is managed and transformed to comply one or another need. Ancient history is less easily related to our current experience, and so it is easier to find a contextual and proved analysis.

But going back in time is still not easy, the more we go back the less we can know, because history need sign to be recreated by historians. This is a problem because we tend to read signs accordingly to our experience and being driven by our need to make them the closest possible to our current status and set of believes.

It is common in science history and history history to see this. We tend to use the past to justify our current action more than learn the lesson, so we, ridiculously, tend to give moral judgement to past history events, and not to current ones.

Historical memories are not something static, and not absolute. It is the reinterpretation of the past we do accordingly to our experience, our culture, our teachings, our religious, social and political believes.

You question this? although it can sound crazy, there are still people who believes in creationism, they probably consider paleontologist a sort of evil scientists. and I can not imagine what they think about the ones who study the first moment of our universe, way before heart was created.

Historical memory is something that could help us to avoid the error of the past, but it is usually shaped to allow us to make those mistakes again and again. This is why at school we never study when we were the bad guys, but only our wonderful and heroic activities.

Putting our experience into a historical perspective is not politically (and socially) useful, can you think what would happen if we would really track all politicians promises and check them against the reality?

Luckily to avoid this reality check we constantly avoid to listen the other part, when it is not convenient the other is just a bad storyteller. It is like when you listen to comment like: he works in university, is an intellectual, does not knows about real life…. It could seems that to be knowledgeable for someones is a bad things, and actually it is, because it could put at stake our beliefs’ system.

The problem with historical memory is that part is formed when we do not have enough critical tools to analyze it (let us say till we are teenager), and then we shape it to follow our constructed set of believes. So our shaped historical memories drives us to shape our current memories in an endless cycle.

I wrote about this in the past, I called it rational acts of faith.

Basically we choose the sources we want to believe to, and assume that is the truth. Since that is the truth, the rest is accordingly a lie.

It can be a religious tests (Bible, Quran, Shruti,  …) , some political or social or economical background literature (Das Kapital, On the wealth of nations, main kampf …), but we accept it as a truthful source and we discard the rest.

Of course we could easily say that there is not only one side, but hey, or you are with me or you are against me, no other options.

this-is-true-this-is-truth-square-circle-please-consider-before-talking-typing

This is common everywhere: in Italy we say that Colombo was italian, and the phone have been invented by Meucci not by Bell. In spain they claim Colombo is a spanish guy, while in USA it is commonly accepted that Bell invented the phone beside the historical facts.

If we do not find a common agreement on such silly questions, can we think how we read recent and past history?

Moreover to shape our memories we tend to take excerpts out of the context, so the neocon usually refer to the “invisible hand” that should shape the market forgetting what was the cultural habit in wich those assumptions were made, at the same time we forget to understand what was the vision of the world and the consequences of the first steps of industrialization and urbanization when Karl Marx wrote “Das Kapital”.

Out of context anything can be used for the purpose we want or need. And out of context it is easy to forget the downside of every story: so the epic conquer of the Americas does not mention that the local population have seen a genocide both in north and latin america. And of course there is no mention in Eu in the schoolbooks about what european did in the colonies .

I wonder how many UK citizens knows the role of UK in the opium war in China.

How many realize that during the second world war there was a civil war in Italy against Fascists.

And what italian did in the colonies to the local people.

Or how many Japanese knows what happened in Manchukuo.

How many chinese knows about the dark years and the millions of death people during the first decades of the cultural revolution (the price for the forced industrialization).

Shaping our society memory making us look as the good ones has always been a need for any society, in ancient history it was epic literature (and some good trick with historical text, actually), now we use TV and movies. but nothing really change. Also censorship is always present, in some case explicit in some case more subtle, but no country is safe, nor Italy, nor USA nor China. Ok in China is clear almost evident.

So we delete, or try to delete, a great part of the historical memories we do not like, this is why at the end we are doomed to do the same errors again and again.

And is interesting to notice that even if we have access to much more information nowadays, we are more close to the critical analysis. Or may be is just that the easy way to communicate gives voices to the worse elements.

 

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

Historical memory, what is this about? was originally published on The Puchi Herald Magazine

weak manager style

weak manager style

In a previous post (http://www.thepuchiherald.com/2016/03/04/management-style-common-error-to-avoid/)  I tried to put some rationale on my thoughts about management, designing some of the characteristics a manager usually have (bad ones of course).

One of the biggest “Ahas!” new and experienced managers (and the people who work for them) have experienced  is the realization that being a strong manager doesn’t mean being forceful or domineering.

It’s just the opposite — strong managers are strong enough to lead through trust, whereas weak managers have to use the force of their job titles to make people listen to them.

Most of the management style depicted (not all) were management style that needs leading thorough fear, since they does not use, require or being able to use trust as a management tool.

When we talk about fear-based management, it’s the weak managers we are referring to! You can spot a weak manager at a hundred paces or more, because weak managers are the ones who raise their voices, make threats and generally keep their teammates off-balance and worried about pleasing the manager when our customers need them to be happily focused on their work.

Strong managers lead through trust. They trust their teammates and their employees trust them. They don’t have to be right. They don’t care whether they are right or not, as long as the right answer emerges from the conversation. They don’t have to be bossy. They trust their employees to know what to do and to ask for help if they need it. But we know trust is a bi-directional thing.

Weak managers don’t trust themselves enough to lead that way! And moreover do no trust the others because they project their mindstate on other behaviours.

Here are five sure signs that your manager is a weak manager pretending to be strong.

We can feel sorry for him (really?!?) or her but you don’t have time to waste in a workplace that dims your flame. If your manager is not a mentor and an advocate for you, you deserve to work for someone who is!

Can’t Ask for Help

When a weak manager isn’t sure what to do next, he or she won’t ask the team for help. Instead, the weak manager will make up a solution on the spot and say “Just do it — I’m the manager, and I told you what I want!” A weak manager cannot ask for input from people s/he supervises. If you try to reason with your weak manager, s/he’ll get angry.

Needs a Handy Scapegoat

When a weak manager notices that something has gone wrong, he or she has one goal in mind: to find somebody to blame! A strong manager will take responsibility for anything that doesn’t work out as planned, and say “Well, what can we learn from this?” A weak manager can’t take on that responsibility. He or she must pin the blame on somebody else — maybe you!

Can’t Say “I Don’t Know”

A strong manager can say “I don’t know what the answer is” many times a day if necessary, but a weak manager is afraid to say “I don’t know.” He or she will lie or start throwing figurative spaghetti at the wall to see what sticks.

Strong managers learn fast because they learn from successes and misfires, both. Weak managers are not as open to that kind of learning, because so much of their mental and emotional energy goes to deflecting blame when something goes awry.

Measures Everything

Strong managers focus on big goals. They follow the adage “The main thing is to keep the main thing, the main thing.” Weak managers get sidetracked with small, insignificant things. That’s why a weak manager will know that you worked until nine p.m. last night averting disaster, but still call you out for walking into work five minutes late the next morning.

Weak managers rely on measurement instead of judgment when they manage people. They have a yardstick for everything. They will say “I manage by the numbers” when in fact, they aren’t managing at all.

Can’t Say “I’m Sorry”

The last sign of a weak manager is that this kind of manager cannot bring him- or herself to say “I’m sorry” when a stronger leader would. They can’t be criticized and they can’t accept feedback, however compassionate. They can’t take it in, because their ego is too fragile to acknowledge any room for growth.

Life is long, but it’s still too short to waste time working for someone who can’t be human and down-to-earth at work. Work can be a fun and creative place, or a sweat shop where you count the minutes until quitting time.

One of the biggest determining factors in your satisfaction at work is the personality of the manager you work for. Don’t you deserve to be led by a person with the courage to lead with a human voice?

People say many things about management, but one thing they seldom say is that the job is easy. If it were, we wouldn’t have chronically dismal employee engagement rates hovering nationally around the 30 percent mark. Accordingly, here are five basic skills to focus on – attributes, actually – five areas where it’s easy to stumble, but where improvements can make the difference between failure and success and are a portrait of strong managers.

Patience

Who doesn’t need more patience in a managerial role? I know I did. There are about 600,000 things – from your own boss, to deadlines, to the grinding pressure “to do more with less,” to those nettlesome customers and employees! – that can stress you out. Besides, patience has a long tail. Employees appreciate being treated with patience when things go a little off track. They’ll often remember it and reward you with better effort.

Patience means you think and evaluate things, weight them and make your dcision based on solid fact and not upon the heat of the moment.

Courage

Have the fortitude to hold your people accountable for the big stuff they need to get right. It’s easy to default to pesky micromanagement on trivial details, but what most matters as a manager is keeping the important work on track: the complex projects, the big-ticket budget items, the key strategic initiatives.

Numerous studies show managers have chronic problems with accountability. So focus your energy in the areas where it’s most needed – with the courage to hold people responsible for the results your organization requires.

There is another site of the accccountability, courage means also to protect your people when they need to, we know corporate environment is all but fair, so a manager must have the courage to erect a shield when its people is under attack.

Thoughtfulness

Have the thoughtfulness to take the modest amount of time required to praise your people when it’s deserved. Avoid the all-too-common trap of being parsimonious with praise. To what end? Well-placed praise is one of the simplest and best management investments you can make. It costs nothing and motivates effectively. Why don’t managers use it more? I never fully understood the reticence.

Praising people can goes to a “good Job” at coffe machine, to a fair setting of goals and evaluation. Not recognizing efforts will make your people just stop trying.

Fairness

Avoid the natural tendency to play favorites. Indeed, this is a perfectly natural human tendency. Some employees are just more likable, others more difficult. Good managers keep their personal emotions in check. Resist the understandable tendency toward favoritism. Fight it. Subdue it. Defeat it. You’ll be respected for it.

And try to push the same attitude in your group, if such problem arises better to deal them or, sooner or later, they will strike back harder.

Execution

Simply put, execution is everything. Business is no academic realm of abstract ideas. To the contrary. An excellent idea counts for nothing if not properly executed. As Ross Perot used to say, “The devil’s in the details.” Operations matter. Trains have to run on time. As a manager, you’ll be judged on execution. On results (hopefully). How effectively does your team get done what they need to? Were desired targets reached? Keep your eye always on the executional ball – it can make the difference between managerial success and failure.

Do not micromanage, but be ready to move away obstacle that can avoid your group to reach theyr (and your) goals. Work with your group to solve issues, not be part of the problem.

One thing I always liked about management was that it was a fundamentally practical exercise. Tangible and results-oriented. It’s by no means a simple job, but small improvements can yield big results.

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

weak manager style was originally published on The Puchi Herald Magazine

Management style, common error to avoid

Management style, common error to avoid

Management style, common error to avoid

Being a manager is a hard job, and it deals with cultural, economical, corporate issues and rules. But being a manager is indeed an important job usually performed with a not clear idea on what a manager should do.

We can find Bad and Good managers, and most of the times they do not even realize where they stand in the good or bad dashboard, because usually nobody teach you what to be a manger means.

Nevertheless there is a world of literature on management, so If someone really want to improve from naïve management style to something more consistent, there are plenty of tools. Even at corporate level those readings should be useful, but, alas too this does not happen.

Let me point out some of the weirdest aspects of being a manager nowadays.

What a manager should be

The main reason a company need a manager is because the company is in need to manage resources.

Resources are Human resources, Budgets, process and activities.

In the very description of manager there is the concept of delegation, a manager should receive a delegation from the company to manage some tasks and related resources.

Of course in an Ideal world the company commitment to the manager and the commitment to the manager to its people are plain clear and effective.

The truth is always different, and the reasons rely on the fact that:

  • • We do not live in a perfect world
  • • A company is not a deterministic entity; political issues, personal interests, group interests all drive to unpredictable results
  • • Communication is all but clear in terms of effectiveness and reach (not to mention cultural and linguistic problem)
  • • Culture is a big word that contains a lot of issues (company culture, country culture, personal culture…)
  • • ….

This makes the Management a tough job.

It was mentioned that a bad management attitude can affect job result and increase turnover. People leave in first instance managers than companies.

But since the environment is not so clear manager have to find a first issue: understand what the company requires to him

It seems easy but the truth is that there are 3 different levels of understanding:

  •  What the company tells
  •  What the company wants
  •  What the company need

In a perfect world those 3 items would be coincident; in the real world those 3 items seldom are the same thing.

Diapositiva1

It is clear that for the company wellness the third level should be the good ones, so basically we can depict a quality manager based on its attitude toward the company.

An average manager does what the company tells himher to do

This is typically the case of accepting and following orders. The best way to be kept out of troubles, but with a minimum value added

A good manager does what the company wants himher to do

Since the communication is subject to political, linguistic and cultural issues, it is not always clear the link between what you have been asked to and what actually you should do.

Unwritten rules are common quicksand ground that marks the difference between what is told and what is really meant. Living in a multicultural environment enhances this difference by a great level of magnitude. So the good manager should be able to understand the message between the lines.

A great manager does what the company needs himher to do

But sometimes what is told and what is requested from the company is not in the best interest for the company itself. There can be different reasons for that; may be lack of visibility and experience of the higher levels (hierarchy does not mean you know better than everyone the issues), errors, lack of vision, poor execution or simply bad management.

So a great manager should be able to do what it is needed, even if this can break some company rules.

I know that in some culture this is barely acceptable, but the truth is that if you do not do this you are responsible for the bad results.

And manager responsibility is not only towards higher hierarchy level but foremost to hisher own group.

Type of management

Regardless of manager understanding of the corporate indication (or better higher hierarchy level indications) a manager has to, in the day by day job, try to manage people and resources. People are the most difficult things to be managed.

There are in literature thousands of good management indication, I want to focus on some common bad habit.

Diapositiva3

The control freak (The micromanager)

Micromanagement has a dual meaning in literature, for some it is just the attitude of a manager to go into every single detail.

This, per se, is not a bad thing if the manager uses this as:

  •  A positive attitude towards hisher team to teach and improve their job
  •  A superior knowledge on the subject

Commonly the micromanagement is, on the other end, associated with a completely different attitude.

Micromanagers are control freak managers that does not give any kind of trust and credit to their group.

Usually this goes with the absence of delegation and really hard, rude modes.

The basic idea of this kind of manager is that there is no other way to reach a goal than hisher way. And since heshe is the only depositary of the truth he has to impose his way to the others.

You know that kind of manager that calls you at 10 PM shouting because you haven’t answered him immediately?

Pressure is the only way this manager use to obtain results, and the pressure always rise, without any recognition or praise of his team job.

This is the same manager that watches your timetable, when you get in and when you get out. Blame for 5 minutes late and worse, consider unacceptable not overworking.

Monday meeting with this kind of manager is a nightmare, heshe will blame every single details.

Micromanagement culture is more related to production environments than knowledge workers. But this management culture is still prevalent.

The Autocrat

This kind of management style is the ones of the kind of manager that feels heshe has been invested in the role by a higher entity.

They are right because are the boss and not Boss because are right.

The position justifies the truthfulness of their statement, independently by the real status of the things of course).

The autocrat usually is also a micromanager, but not necessarily.

Again there is a lack of trust and delegation, but not all the compulsive control freak attitude of the previous one.

The main problem here rely on the absence of communication (communication is a bidirectional activity).

Since the autocrat rely on his position to justify hisher actions, no checking is needed but with the higher hierarchy levels. Blind acceptance of orders, received and given, is the trademark of this kind of manager.

The blame fixer

This is something we all have met in our life, not only between managers.

The blame fixer is that kind of managers that is able to move the fault to the next viable target. Usually heshe is a great company traveler, and a career climber because of this fine ability to discard every bad result on someone else shoulder.

The management style trademark is the motto

“I do not want problems, I want solutions”

That is common in management 

Blame fixer is a paper writer heavy requester, since everything has to be set up in order to pass the blame to someone else, proofs of activities are mandatory.

Of course the blame fixer do not give trust but does not consider trust as an issue, since heshe is politically committed to survive the corporate environment no matter what.

The soft heart

Not all the managers are rude and hard to live with. Some on the other end are kinds, open to discuss and even collaborative. The problem can rise up when they have to stand for their group.

Basically this management style relay in a perpetual state of denial in front of the problems, but this will turns as a backlash when the problem hit.

You can’t count on this manager to protect the group; he never fought before and does not see the needs to fights now.

He never discusses higher orders simply because it doesn’t want to expose himselfherself, as a result heshe accepts passively all indications. At the same moment poor management attitude bring this kind of manager to not teach nor develop its persons in order to avoid conflict and questions.

The politicians

Likewise the blame fixer, with which usually share lot of traits, the politician is that kind of manager whose interest is just to raise his career in the corporation, therefore make every move accordingly.

Anything and anyone are expendable for his agenda that is the only important thing. Basically this is a career obsessed kind of manager very willing to be helpful with higher hierarchy levels since the job will be done by someone in the team.

This is the kind of manager that never says no to any odd request, that always proactively volunteer hisher team to the craziest commitment.

Very pleasant and manipulative heshe always present himselfherself in friendly ways, but want to maintain a tight control on communication going outside the team to be able to better leverage the knowledge for hisher agenda.

The innovator

There is always a better way and I want to try it all. The innovator is a portrait of a strange kind of managers who loves to be surrounded by new things.

Heshe read a lot of books on management, open to try every new single procedure. Usually use the same approach also toward technology so it is a gadget freak with the last computer, phone, tablet, watch …..

Everything new worth to be tested, can be process, management styles, tools, virtually anything.

The problem with this management style is the lack of consistency. At every change the direction is somehow lost, and the time to adapt to changes is not always enough to actually being able to master something.

Conclusion

All this traits are not mutually exclusive; most of them are present in anyone of us. But in some managers some comes out more than others, making it the prevalent personality trait.

It is clear that all those aspects are, in literature, considered very bad for a company wellness and team effectiveness, as well it is the truth, as said before, that most of the managers do not read management literature.

Remain the fact that If a manager cannot control those aspect the management result are really poor, and this can long term affect the capacity of the company to reach goals and retain valuable resources.

What? The Pictures?

Got it, right I forgot one manager typology.

The Team builder

This is the kind of manager we all would like to have to work with. Open transparent make the team the focus of hisher management style. Hisher motto is always let’s doing it together.

Heshe is able to give trust and in return heshe gains respect and commitment from the team.

Heshe stands out for the team and try to do the best for the group and the company. On the other end this can put himher in open contrast with the company itself and so not really appreciated in a corporate environment.

Why Management is important

Managing people and resources is the way to obtain results. But the effectiveness depend on management style and manger ability.

Management is something that requires specific soft skills that goes beyond the technical area of expertise. Not all are meant to be a manager, which does not means that as sole contributors could give great input for the company.

But as a last statement I would like to tress an important aspect that should be clear to any manager at any level.

One of the key tasks for managers is the problem solving, this means that a manger have to be proactive part of any problem that rise, this is the pay off for its higher discretional delegation.

Most of the management styles we seen before in the article are seldom willingly trying to solve a problem, and therefore are bad managers for the company.

Diapositiva2

Remember:

A manager that is not a proactive part of the solution is part of the problem.

<

p class=”wp-crosspost-linkback”>
Management style, common error to avoid was originally published on The Puchi Herald Magazine

The IoT Files – intro and security

The IoT Files – intro and security

The IoT Files – intro and security

I will start a series of posts on the IoT (Internet o Things) since it seems me that most of the talking about IoT are missing some key aspects.

I will start with a general introduction, taken from a webinar I delivered recently.

There is a lot of rumors around IoT lately. It seems the new holy grail of the technology industry, the panacea that will solve every business pain and will drive us to the next point.

All those talking are interesting, but somehow a little bit apologetic, since there is a lot of things still to be evaluated in an IoT world, and some could give us some headache and concerns.

so let us start trying to understand what we are talking about when we talk about IoT.

IoT,internet of things is the extension of the consumerization of connected device, that will cover much more than we are used nowadays. the key target of the IoT is the User and its world.

This does not means that IoT is not about scada systems or industrial contol systems, or e-government or smart cities. is all about this and more, but the focus point will be the user, the new hyperconnectd guy: mr Guy Smart.

But aren’t we already hyperconnectd with our always present smartphones, tablets and now smartwatch?

What is the difference between us now and mr Smart?

The difference rely on the level of devicesystems connected that are related to the new user. Way more than the simple phone and watch; we can think of wearable devices, medical devices, glasses for augmented reality, smart shoes that tell us how we walk or belt that monitor pour waste and diet.

But My Smart is not only using those stuffs he wear, he is also living in a hyper connected world. driving a smart car (autonomous and more…) on smart roads, with intelligent traffic lights, in a smart city where he find its smart home.

All connected, all sharing information, all dynamically changing status upon the user request and the context.

A way to live quite different from our actually way of life, since everything can modify the behavior related to the heat of the moment.

All this look wonderful, a personalized environment that follow our needs and provide us a completely new experience. A new industrial revolution able to shape our needs and think and way of life.

But is this real? how far are we from this?

To understand what all this means we should start from the definition of Internet of Things. A good definition is the following:

The  Internet of Things ( IoT) refers to the ever-growing network of physical objects that feature an IP address for internet connectivity, and the communication that occurs between these objects and other Internet-enabled devices and systems.

According to most of the analyst this is the main trend we should expect in the next years.

All analysts forecast billions of devices connected, a great hope for a growing business….

  • But is this coming without a price?
  • Is this so easy to achieve?
  • What are the consequences?

 

IoT is a great opportunity, but is also something should make us think about the consequence. as every thing there is always a price to pay, and we should understand what is this price.

I will try to give a short description of 5 aspects related to IoT we should take care of:

  1. Security
  2. Privacy
  3. Infrastructures
  4. Business Models
  5. Culture

IoT and Security

I know that security is on everyone mouth recently, the rising of cyber crime and the warfare has put security under everyone attention.

But yet we are far away from a real understanding of what security really is, and what means make security. We usually focus on particular aspect of the security domain, or on specific technologies, forgetting that make security is a complex affair that cope with behavioral science as well as technology. Is more a process than a product or service.

What should be put us on alert is that in a IoT world the dependency of our lifestyle and life from the devices will be so tight that security will assume a completely new meaning for the normal user. We are not talking about an annoying virus on our laptop, but something that can literally kills us as in the case for medical device or smart drive systems.

IoT bring a lot of security concerns, some quite easy to understand, other alas too often neglected. Let us try to name a few:

Hacking

This is something everyone knows, every years the knowledge about hacking rise up as well as hackers ability. Is a never ending run.  But can we try to imagine what would happen in a world where the number of hackable devices is in the range of billions?

This is something we should take into serious consideration, no OS is secure (sorry Linux, Unix and Mac guys) and we are talking of billions of objects that exchange data, transmit data, manipulate data, collect data through sensors. the attacking surface will become incredibly wider, and the result unpredictable.

The classical reactive approach of OS designer have to be radically modified, since this can be the door for a hell. A new security design approach is needed. And don’t think for a moment that IoT device will have few lines of code and therefore easy to be secured. Even the smallest simplest device will have its sensor and will have to communicate data and receive orders (otherwise wold not be SMART). so there is nothing like a simple OS here. beside the smaller the OS the herder can be to secure and patch it. in bigger environment it is a common operation to wrap the vulnerability into something that solve somehow the problem, will this be possible in the smaller IoT OS?

Cyber Criminals

And if the hacking surface will grow, we can expect also criminal activities to grow and find new way to monetize the risks.

For the ones who works in the Cyber Security arena, it is well known that Cyber criminality move more money than drug and weapon illegal market.  this can only grow, making cyber crime more important than ever. And when something is so important, corruption and collaboration between the underworld and the official ones is to be expected.

So IoT brings with him a great concerns from this point of view.

Cyber Warfare

But if it is not a criminal organization, can be a government. Do we really think that this will be an area where government will not play the part? Do we realize that IoT will be tied to our life, and our productive environment. So targeting the IoT could harm a country more than a conventional war, blocking its productive system.

Science Fiction? Try to remember stuxnet and may be we can agree that this is a plausible scenario: a country that attack the IoT infrastructure in order to harm another country.

And if it is not a state, a government can be a terrorist organization, activism …..

Geopolitical Issues

And if it is not on purpose, may be the system can be harmed by geopolitical issues. In an Hyperconnected world damage can be done even targeting something else.

Censorship

Let’s take censorship as an example. we can not realize that censorship can harm the functionality of a device, at the end we are not talking about nor twitter nor facebook, but…

Take your android phone and go to China, as an example, and you will see directly the effect of censorship on IoT. Your wonderful android functions and services will not work since Google has be banned for censorship reasons from china. (Sure you can use VPN, but please, try to see the picture here).

Errors and Incidents

And even if it is not on purpose, accident and errors can anyway harm the system. probably in ways at the moment we still don’t see, due the complex nature of the various interrelationships between the objects.

Compatibility

And if will be not error or incidents the harm can be done by compatibility issues. At the end you will like to change object or location from time to time. some IoT objects will travel with you, compatibility will become a great issue.

What if you change medical device provider and the new does not support vital data taken from the old one? or if you go in place that does not allow the same level of communication? (may be because encryption is not allowed there).

What More?

Many other scenarios can be recalled related to IoT and security, this is not an exhaustive list, but it is good to make the point. Security is a serious issue in an IoT world.

The classical approach that consider security an “Add ON” of IT and a business weight to avoid have to change dramatically. Security Must become part of normal thinking because the risk is higher than ever.

When consider IoT and security ask yourself:

  • Would you drive or feel safe in a easy to hack car, in a easy to hack road.
  • Would you like to depend on easy to hack medical device?
  • Would you like to count on a hackable safe city system?
  • ….

We have to realize that Security is important in all realms.

It is not just a product add on §(the antivirus….) but we will have to deal with new things like:

Operating System security

  • Vendor Security Approach
  • Service Provider Security System
  • Supply Chain Security

Authentication

Communication security:

  • Reliable
  • Protected

Compatibility

Open Sources vs legacy code

Vulnerability and Vulnerability Disclosure policy

Hacking accidents communication

Training and awareness

Reliability

alas we are still far form the arrival.

Next post I will talk about Privacy in the IoT

var aid = '6055',
    v = 'qGrn%2BlT8rPs5CstTgaa8EA%3D%3D',
    credomain = 'adkengage.com',
    ru = 'http://www.thepuchiherald.com/wp-admin/post.php';
document.write('');

The IoT Files – intro and security was originally published on The Puchi Herald Magazine

%d bloggers like this: