Hiding or in plain sight (IoT dev’t)

In IoT development, there seems to be a disconnect between the hype and the underlying developments. By which I mean that of course, the hype will not play out according to itself, but according “We overestimate short-term impacts and underestimate the longer-term ones”. But moreover, I also mean that there’s a variety of development speeds for IoT. Since there is various types, categories of IoT developing.
As in this here one of my previous posts.

Oh right away:
DSCN8649
[Your office ‘life’, Zuid-As again]

So… what we’re seeing, is certain differences in speeds:

  • B-inhouse IoT develops rapidly; after some decades of slow introduction of robot-driven factories, we’re on the verge of a breakthrough at less than light speed where the same factories will be linked up to form semi-small, mid-size ‘local’ 3D printing warehouses. Maybe. But certainly, the factories will go the way of data centers, that can be anywhere around the world with only rump staffing locally and control being … anywhere else around the world. With the premise that in the ‘Western’ world, there will be sufficient sufficiently educated staff to control the factories elsewhere. So that ‘manufacturing’ may ‘return’ to the West its origination (Industrial Revolution and since). Nearness of production cutting the costly transport now that labour costs become less relevant, and leaving the most pollutive production where locals still don’t have the economic power to fight the externalities. Short-changing economic development in many places where it had barely started in earnest (no ‘trickle down’ yet). Unbalancing global power developments. We’ll see… Or not; these ‘secret’ in-house developments (in particular, within large conglomerates that can pilot) may not be too visible before their join-or-die breakthrough.
  • B2B IoT: Same, somewhat. Moving ahead with cutting out the middle men, DACcing all around. Pure economics (power play by big corp’s; ROI et al.) will determine speed(s) here. Join-or-die aspects play here, too; less in outright competition but more in missing out in cooperation, being left in the dust.
  • C2B IoT: Out in the open, where all the hype is. No concern – as for secrecy of developments; heaps of concerns re e.g. privacy ..!! Critical Mass (as defined in Yours Truly’s seminal graduation thesis of, already, 1990 (on office automation incl e-mail, where it played then) yes a great many years before it was to be called) Network Effect, or – Tipping Point may be the key point for development fits and starts in this one; in publicity, actual adoption and fruitful use.
  • C-internal: Same. Slower due to legacy. I.e., houses already out there. Some have been around for centuries. Massive update ..? [Edited to add: this here toytoolset seems helpful in this area]

We’ll see…

Flavours of IoT

In my on-going attempts to get a grip on IoT, I recently developed a first, for me … Being a broadest of classification of IoT deployment, with characteristics yet to work on:

  • B-internal; the ever more intelligent, ever more (visually) surroundings-aware robots in factories, replacing extorted laborers thus taking away the last options to life they had. On the other hand, freeing humanity of toils at last ..? If not when there’s a Hegelian end…
  • B2B; having near-AI ‘machines’ as the new middlemen, if at all or incorporated on the sell- or buy-side.
  • C2B; as with most lifelogging e.g., through wearables. You didn’t really think your health data was for your private consumption, did you!? If so, only as a weak collateral product of insurer’s ever better reasons to turn you down the more you need them. No escape.
  • C-internal; maybe, here and there, with domotics. And with this; will already a blend with the previous, probably.

To which I would then add some form of mapping to the various layers of discourse (as in:
blog-iot-security11
but then, much more stacked with OSI-like layers and elements performing various functions like collection, aggregation, abstraction. Seems relevant to do a risk analysis on all those levels and points/connections.
Yes, it’s rather vague, still. But will work on this; to see whether the classification can shed some light on various speeds of adoption, and where privacy concerns et al. may be worst. Your comments, additions and extensions are much welcomed.

I’ll leave you for now, with:
Photo21b[From an old analog to digital time, still SciFi ..?]

Not yet one IoTA; Auditing ‘technology’

[Apologies for the date/time stamp; couldn’t pass.]
First, a pic:
20140226_113554
[Classy classic industrial; Binckhorst]

Recently, I was triggered by an old friend about some speaking engagement of mine a number of years back. As in this deck (in Dutch…).
The point being; we have hardly progressed past the point I mentioned in that, being that ‘we’ auditors, also IT/IS auditors!, didn’t fully adapt to the, then, Stuxnet kind of threats. (Not adopt, adapt; I will be a grammar and semantics n.z. on that.)
As we dwelled in our Administrative view of how to control the world, and commonly though not fully comprehensively, had never learned that the control paradigms there, were but sloppy copies of the control paradigms that Industry had known for a long time already, effectively in the environment of use there. As in this post of mine. Etc.

But guess what – now many years later, we still as a profession haven’t moved past the administrative borders yet. Hence, herewith

A declaration of intent to develop an audit framework for the IoT world.

Yes, there’s a lot of ground to cover. All the way from classification of sensors and networks, up to discussions about privacy, ethics and optimistic/pessimistic (dystopian) views of the Singularity. And all in between that auditors, the right kind, IS auditors with core binary skills and understanding of supra-supra-governance issues, might have to tackle. Can tackle, when with the right methodologies, tools, attitude, and marketing to be able to make a living.

Hm, there’s so much to cover. Will first re-cover, then cover, step by step. All your comments are welcomed already.
[Edited to add: Apparently, at least Checkpoint (of firewall fame oh yes don’t complain I know you do a lot more than that yesterday’s stuff; as here) has some offerings for SCADA security. And so does Netop (here). And of course, Splunk). But admit; that’s not many.]

Clustering the future

Was clustering my themes for the future of this blog. Came up with:
Future trend subjects[Sizes, colours, or text sizes not very reflective of the attention the various subjects will get]
Low sophistication tool, eh? Never mind. Do mind, to comment. On the various things that would need to be added. As yes I know, I have left much out of the picture, for brevity purposes. But will want to hear whether I missed major things before I miss them, in next year’s posts. Thank you!
And, for the latter,
DSCN0924[Bah-t’yó! indeed]

Not so self-driving

Errrm, after reading this Slate article, what is the ‘self-driving’ the car does ..? It’s just fitting into the template of the world laid out, not self-driving with ‘self’ being autonomous and aware.
Though I’m not fully in agreement on the conclusion, I do recognize the comparison in the early paragraphs: The G’s self-driving one as the Newton. But that was handsomely overtaken (intended) by the handhelds of all sizes that are ubiquitous today. As the article already hints, it’ll be a matter of AI creeping into our cars in all sorts of ways, when we suddenly realize how close we are to (or past the point of) true autonomy. But we’re not very close to that, yet; the jumps to be made may be much bigger than the Newton-to-Android-phablet one. Not being able to cope with any but the finest weather … Ugh, if one had known that, no-one would have claimed anything about self of driving, right? Where are the permits to road-legality (CA, probably already, UK 2015/2016 it was?) going to if mere sleet and fog may destroy safety?

By the way, did you notice the similarity with what happened to Glass ..? “Yes indeed, where has that gone!?” Well, it turns out it was a good try for Big G and now has vanished due to the public denouncement, through ridicule and physical backlash. So… next time, the tech will be inobtrusive, secretive, so you’ll not be able to detect or defend against it… Big win, not. So it will go with cars. Till the next round; then: Sneeking up on you, then be inevitable.

OK, I’ll leave you with yesteryears’ gloomy perimeter defences:20141019_134718[1]

IoT starts at the right end

of the products scale. As in #5 of this post.
#1 would be no surprise, by the way.

And, I’d also not be surprised when you(r company) haven’t considered similar changes. Isn’t IoT something that would not touch your business for decades to come, until you’re blown off the market in lees than five years; either by doing something stupid which you could always do, even today, or by some competitor that has dreamt up some game changer in their garage already yesterday ..? Go ahead and sleep ’till you’re no more. Change isn’t painless, sitting still is. Or isn’t it sleep, just being burnt out (as a company) (link in Dutch) ..?

I’ll leave you with this:
20140917_092605[1]
[At The Factory, indeed, Utrecht]

IoTSec from IAM at entry to the end node

Now that you all are so busy implementing Internet of Things pilots everywhere, I mean at home like with this and this, but B2B everywhere as well (…!?) or are you doing it there not too, we may need to consider Security.
Yeah, Hans Teffer did a great piece on that (see here, in Dutch) and I blogged about that before [and many more links/posts…]. And, there’s quite some other issues with IoT. But the point here is – we haven’t thought of security before implementation.
And at the very few implementation’lets of IoT we see so far, security seems absent. Of course, you’d first want to make it work in the first place. But you’re doing it not right at the start, and you know that decisions made now (implicitly) will remain in the architecture for decades to come, in particular when today’s (almost) stand-alone implem’s become linked up into one giant uncontrolled, uncontrollable mesh.

Now, first, an intermission:
DSCN0113
[At dawn]

So, ‘we’ all have been complaining about the security risks of IoT here and there and everywhere, in particular re the current risks of all sorts of industrial control being hooked up to the ‘net without anyone knowing or caring about proper sec.
And still then, we haven’t progressed beyond this Boy Crying Wolf position. Instead of moving to provide solutions. To begin with architecture ideas, the kind that we will need in order to branch out of the simpleton pilots.

On a walk, it struck me that one major part of any solution would be with Identification, Authentication (A1), and Authorisation (A2) – in particular at each and every end node in the network, the kinds you would want to reach to transit back to the Real, Physical world of Things and which are supposed to move ever closer to some form of smart dust… Whereas now, we often have the I and A1 usually at the front door, and the A2 somewhere in the/a network usually ‘near’ the end point (which also usually, is a relatively compute-enabled ‘large’ thing like a server with data).
Clearly, with the IoT we’ll need something else. All end points may float around somewhere out there, uncontrolled, un-tied-down in the giant global mesh network architecture. We will be systemically unable to tie any A2 server to an end point or vice versa (smart dust, spread out, remember), and the IA1-part will also be much, much less definable than it is today. But then, we’ll need much finer-grained access control at the end point, and much more flex at the (IA1) entry point or we leave it all free for all and only at the end point, the destination, check IA1 (again). For this IA1A2 at the end point, we need to consider:

  • The end point(s) will very probably have very limited computing capacity; even with Moore et al., this will still lag required resource in a big way – because any type of ‘attack(er)’ will have vastly more computing power available. Hence, things will need to be really really simple at this point. We may need to consider global IoT mesh network segmentation or other pervasive and comprehensively secure forms of IA1 at entry points (how to guarantee complete coverage) or throughout the mesh (how to prevent complete coverage without even the slightest possibilities of evasion).
  • Identities… ?? Where, how to manage the I’s and maintain the I+A1’s privacy, and transparency to the A2-owners ..?
  • How to arrange A2 at all those end points, including the ability to maintain those ..? The dust (or some coarser-grained proxy, whatever) is out there, and can’t easily be uploaded all with the latest A2 tables we’d want – or that is done by some broadcast flash approach which is all too vulnerable for cracked use.

But still, we need something of that kind. And transparency built in to that, too… To ensure No Backdoors and accountability in general, as these cute little hidden holes would be exploitable by all the bad guys (official, and not). By the way, #ditchcyber.

I’m aware there’s more problems than solutions in the above. But you should be aware of the risks of letting them remain unsolved. Your suggestions, please!

And, just so you know:

Not on our / I watch ..?

OK, so I wrote about the lack of API integration (yes, double) in IoT land. Which seems about to change. Now that this has come around. Tools in their early adopter stage, gotta love ’em. Next, the breakthrough.
Of IoT, too; but in what direction? Countries’ hardware infrastructures first, how deep down to B2C channels? The other way around, home channels all the way up? SocMed to wearables to life tracking blends? We’ll see. Maybe soon.

But for one thing: That geriatric-thinking pseudoreligion time-teller will not connect to the rest of the world. Sad (??). Will become the next one down. Hopefully.

For your viewing pleasure:
20140905_201020[Heaps upon Sea, indeed]

Book by Quote: Smarter Than You. Think.

Yet another ‘Book By Quote’ then. A full of … wisdom one again, for once.
An attempt to subjectively summarise a book by the quotes I found worthwhile to mark, to remember. Be aware that the quotes as such, aren’t a real unbiased ‘objective’ summary; most often I heartily advise to read the book yourself. This one, for sure – though don’t be uncritical while going through the many bends in not-so-water-tight logic ..!

So, this time: Clive Thompson, Smarter Than You Think, Williams Collins 2013, ISBN 978000742777-2.

“Human strategic guidance combined with the tactical acuity of a computer,” Kasparov concluded, “was overwhelming.” (p.5)

We’re all playing advanced chess these days. We just haven’t learned to appreciate it. (p.6)

Harold Innis – the lesser-known but arguably more interesting intellectual midwife of Marshall McLuhan – called this the bias of a new tool. Living with new technologies means understanding how they bias everyday life. (p.8)

As electricity became cheap and ubiquitous in the West, its role expanded from things you’d expect – like nighttime lighting – to the unexpected and seemingly trivial: battery-driven toy trains, electric blenders, vibrators. (p.8)

… scanned the brains of new mothers and fathers as they listened to recordings of their babies’ cries. They found brain circuit activity similar to that in people suffering from obsessive-compulsive disorder. (pp.14-15)

Marcel Proust regarded the recollection of your life as a defining task of humanity; meditating on what you’ve done is an act of recovering, … Vladimir Nabokov saw it a bit differently … “I confess I do not believe in time.” (As Faulkner put it, “The past is never dead. It’s not even past.”) (p.23)

We face an intriguing inversion point in human memory. We’re moving from a period in which most of the details of our lives were forgotten to one in which many, perhaps most of them, will be captured. (p.28)

OK, first a pic, than a moar tag; and the rest – a long rest.
DSCN0057
[Yup, Fiorentina.]
Continue reading “Book by Quote: Smarter Than You. Think.”

Maverisk / Étoiles du Nord