Blog

IoTSec from IAM at entry to the end node

Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.

Now, first, an intermission:
DSCN0113
[At dawn]

So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.

On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:

  • The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
  • Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
  • How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.

But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.

I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!

And, just so you know:

Cycle comments and questions

A certain commercial advisory club still releases its hype cycle. Which is good news; to have some authority with some authority (your mileage may vary) providing us with some comprehension and comprehensiveness [OK I’ll stop now] about the What’s Buzzworthy.
Still, being … in the field / Dutch / obnoxious, pick any; I’d like to comment…:
(Here’s the August version from … somewhere; ™ and © or what is it, acknowledged)
7330eb56-2177-11e4-89b4-12313d239d6c-large

  • Virtual Personal Assistants – 5 to 10 years out (of the plateau of productivity) ..? That’s optimistic ..!
  • Brain-computer interface: If one would consider this to be about ‘intelligence’ connection, then maybe. But there’s also connections like hearing, et al., where a 5 to 10 year span may be on the ‘long’ side.
  • Human augmentation: See the previous. Or aren’t definitions sufficiently orthogonal?
  • Affective computing: Hm, optimists.
  • Neurobusiness: Same.
  • IoT: Yes, at a hype peak. Maybe (much) sooner, to be at the plateau.
  • Cryptocurrencies: Hoping for a swifter spread and adoption…
  • Big Data may be further down the slope already. Or is that from where I / we are ..?
  • Gamification, augmented reality: Hopefully and quite possibly, already reality somewhat earlier.
  • The rest of the bunch … will they not come sooner ..? Of shift shape (‘pivot’) to be unrecognizable from their today’s hype labels soon?
     
  • And a final one: Would anyone have a similar overview of … one year, five and ten years back? Just to see what happen in the meantime; to establish a ballpark reliability figure. Would be fun, too.

I’ll leave you with this’all. Your comments are welcome(d). If you like to dream.

Diversified Reporting Assurance

Yes, let’s call it DRA. The new wave of “accountants’ statements” in the wings.
[Warning: for those not interested in accountancy, the rest will be boring. Or, let me restate that: very boring. Or even deadly boring.]
Continue reading “Diversified Reporting Assurance”

Pops off the Top

To get you in the mood, and involved, please check out the longlist of songs eligible for my [emphasis by author] Top 2000 Of All Times (link to clean Excel here).
Yes,

  • I’ll have to prune a bit, there’s more than 2000 now;
  • They’re sorted alphabetically on Artist so far, yes, yes. But my next thing to do is to recursively bin the lot into shrinking bin sizes, you know, like a good algorithmically sound sorter would;
  • If there might be songs you miss on the list, please comment with your suggestions. Which are totally non-binding as the list is mine (make your own, feel free to copy the Excel and adapt / deteriorate) so don’t be put off if your wacky addition(s) don’t make it to the final list;
  • Most importantly, if there’s things (songs) on the list you’d deem ridiculous, you may be right. But They’re my choice…

And the usual pic:
??????????[Way back from the 60s, would still be Good if built today like this]
To get you in the mood, check out this random sample…

Titles Artist
Donna 10CC
Dreadlock Holiday 10CC
I’m Not In Love 10CC
The Things We Do For Love 10CC
The Wall Street Shuffle 10CC
Me So Horny 2 Live Crew
I’m On Fire 5000 Volts
Aquarius / Let The Sunshine In 5th Dimension
Chiquitita ABBA
Dancing Queen ABBA
Eagle ABBA
Gimme Gimme Gimme ABBA
Knowing Me Knowing You ABBA
Mamma Mia ABBA
Money, Money, Money ABBA
S.O.S. ABBA
Summer Night City ABBA
Super Trouper ABBA
Take A Chance On Me ABBA
The Winner Takes It All ABBA
Voulez-Vous ABBA
Waterloo ABBA
All Of My Heart ABC
Back in Black AC/DC
Hells Bells AC/DC
Highway To Hell AC/DC
Let There be Rock AC/DC
Shoot to Thrill AC/DC
Thunderstruck AC/DC
Who Made Who AC/DC
Whole Lotta Rosie AC/DC
How Long ACE
Killer Adamski ft. Seal
Amazing Aerosmith
Crazy Aerosmith
Dream On Aerosmith
Dude Looks Like a Lady Aerosmith
Good Vibrations Beach Boys
I Can Hear Music Beach Boys
Sloop John B Beach Boys
Tears in the morning Beach Boys
Wouldn’t It Be Nice Beach Boys
Brass Monkey Beastie Boys
Hey Ladies Beastie Boys
Intergalactic Beastie Boys
No Sleep Till Brooklyn Beastie Boys
You Got To Fight For Your Right to Party Beastie Boys
Hey Jude Beatles
While My Guitar Gently Weeps Beatles
Loser Beck
Don’t Forget To Remember Bee Gees
How Can You Mend A Broken Heart Bee Gees
How Deep Is Your Love Bee Gees
I Started A Joke Bee Gees
Jive Talkin’ Bee Gees
Play That Funky Music Wild Cherry
Lion In The Morning Sun Will And The People
Het Dorp Wim Sonneveld
Live And Let Die Wings
CREAM Wu Tang Clan
Gravel Pit Wu Tang Clan
Protect Ya Neck Wu Tang Clan
Making Plans For Nigel XTC
Close To The Edge Yes
I’ve Seen All The Good People Yes
Owner Of A Lonely Heart Yes
Roundabout Yes
Yours Is No Disgrace Yes
7 Seconds Youssou N’Dour & Neneh Cherry
If I Can’t Have You Yvonne Elliman
In The Year 2525 Zager & Evans
Hair Zen
Gimme All Your Lovin’ ZZ Top
La Grange ZZ Top
Legs ZZ Top
Sharp Dressed Man ZZ Top

Sorry wasn’t able to find any good Zzz and the Zzzzzs songs… Now get going and come forward with your extension suggestions …!

Black / White

Just in case you thought that men (the typical kind; you like generalisations, apparently) know only black and white, or if pushed, also red, blue, yellow, green and brown, and women (see how overgeneralized this argument is?) know so many more as in this – then there’s also this
Wouldn’t it be stupid to ask for some easier (to remember!) classification / labeling?

And the pic; what colour this house …?
004_22 (2)[Old analog->digital… Utrecht]

Detachment

First, this:
DSCN9250
[Fantasy, sorcery, in the end Harry wins. Porto]

Just to start your day with a bit of freshness.

Then this: Hardly any surprise that Big Corp advertises like a headless monster
7e55ec92-20ab-11e4-8ead-22000ab926d3-large
Where the ‘joke’ is that this is from a company (note: it’s just an example, others are similar (..?)) where staff is pushed to the edge to deliver on hardly-quality-related shortest-term-possible KPIs, have had to hand in holiday days to keep up the profit shares of the partners (‘voluntarily’ as otherwise it might be illegal), etc. etc. Stepping one millimeter out of line is punished with all but physical beheading. So, the ad is just false advertising of the worst, culpable, kind, or displays the utter ignorance of those involved.

Or both. Which again are signs of dinosaur behavior. Detachment of where actual work is done. Same as outsourcing production abroad and claiming ignorance about work conditions – ignorance on purpose is still very, very culpable; do we need a SOx for what should be normal, human, humane treatment of employees ..? Hopefully not, as this would open the floodgates of totalitarian bureaucrat advisors and consultants once again (…), yes those that Holier Than Thou folks (see above) who display to don’t know a thing about practical management. As proven (!) by Mintzberg.
Detachment. Isolation, islands of bounty at the ‘top’. That will be swept into oblivion by a mere floodwave. Where a tsunami’s approaching.

Oh, for the unattentive reader: There’s a great many posts on this site (just do a search) that I am not against leadership, by actual leaders… This just being a rant against the falsehood of advertising and against bad ‘leadership’ …

Be quick at Making or be like dead

When I noted an article (is it?) on Baidu Eye (all of you will certainly know by now what I mean…!?), it finally dawned on me: ‘we’ in the West (let’s say for purposes here, the 300M of Europe plus the 300M of North America) just don’t do enough rapid prototyping yet.
Because that’s the trade we have left to e.g., the Chinese when ‘we’ shipped our (rapid) product(ion) development to them.

Now, the sweatshop structure that sprang up to the side of that, is one huge landscape of rapid prototyping facilities. Which, if not ‘stealing’ (don’t start the legaleeze that’s way too dependent on cultural notions) product ideas before launch, or just slapping a different brand tag after (over)production, allows copycatting of products (commonly, of less quality or functionality) or of sparks of innovation (not taking a product as ideal model but as inspiration).

This somewhat fits the model of the Maker movement that springs up in the West. Is still springing up a bit, here and there. Was mentioned here and there, sparsely, and may have whittled into almost-oblivion already again ..?
Whatever; the Maker movement has a different focus, not on extremely-rapid prototyping to mass produce, but to keep it as close to one-offs as is feasible. Quite an opposite horizon!
And also leaving a vast playing field open for … others.

How can we change business / production culture to get, beside a Traditional and a Maker movement, a Happy Go Lucky Production movement where improvement-on-the-production-fly-cycles are much more rapidly learned from? (Much faster even than e.g., Samsung’s (and others’ like Apple!) fast-introduction-perfect-in-next-versions approach. But also taking this into account, for this reason!) No, just shouting around about tearing down bureaucratic rules won’t work; those rules are there to regulate the current rogues (big business, oligopolising everywhere) – I mean a real cultural shift. Is that what’s happening (or should happen) in some backwater country now that the 0.001% with help from the 1% has killed the previous mainstay power the Middle 80% ..?

Seriously, how can we rig, ground, lay the foundations, for such a Third Way ..? To get, e.g., this sort of initiatives far more widespread.

[Huh, since I wrote the above (couple of weeks ago), this came to light…]
[And this, the caveat you wanted …]

You (somewhere in the #=0 to #=3 range) have been such kind readers to even visit… hence I’ll leave you with:
DSCN7516[Freedom to consume; the mediocre! – Good, more authentic stuff, close by but elsewhere]

Maverisk / Étoiles du Nord