You Have Already Lost

IoT Security, take 2 (at least)

A couple of weeks ago, I took a stab at the current buzz issue dealing with the Internet of Things: Security.  The bottom line from that attempt: update the defaults and you don't have anything to worry about*.

After reading many articles on IoT security, I feel that I may need to amend that rather blithe recommendation.  With all of the information that corporations, governments, and service level workers have on each of us, your security is no longer in just your hands.  You are now at the mercy of whatever information security policies that all of those entities have put in place.  The result:

You have already been compromised.

And it is not even your fault because it is almost impossible to live in a western, first world economy and avoid having your personal information stolen.through your security.  Think of all of the ways that we offer our information to people without vetting their ability to protect it:

• We hand our credit cards to waitstaff who then walk away to a back room and do who-knows-what.
• We trust that there is nothing funny with the ATM or credit card reader whenever we swipe.
• We give our address and other payment information to credit card companies, on-line shopping sites and other places and assume that they have policies in place.  That's turned out well for Target, Sony and several others.
• We set up our personal email accounts with large corporations who make their money by selling our information (albeit at one remove) to other large corporations who want to sell us something.
• We trust our government with our information.  A government whose own level of bureaucratic  security is no match for the military grade attacks that it is receiving.  For that matter, the government itself is looking to ensure that all of our security is delicately compromised, though only they will have the key (#sure).

Not doing these things is all but impossible in an advanced economy.  What's even worse is that as soon as one security hole is patched, another appears.  This is a 'warhead versus wall' paradigm ('para-dig-em') and the warhead always wins.

What is a person to do?

There are several options.  First, you can cut all ties with technology and live in the wilderness and ignorance scared of Those-Who-Must-Not-Be-Named.  If you are like me, this is not an option worth considering.  How can I chill without NetFlix?  Who would I call out to for my music?  #notgoingtohappen.

What else, then?  Most of the big data security breaches have been to gather personal information so that thieves can steal identities and make purchases using credit cards or bank info.  Only some of that is relevant to the Internet of Things and SmartHome technology.  The best way to deal with a fight you've already lost is to have a plan and know what to do ahead of time.

Securing Your Security

What is relevant to IoT and home automation is planning.  When starting out with your SmartHome system, there are two basic approaches:

• Roll your own.  This approach assumes that you are setting up your own servers, cloud and doing most of the pairing and integration work yourself.  Programs like HomeSeer and OpenHAB rely on you to do more of the work, but also allow many more levels of customization and, because they are local and generally not tied to a large corporate server, more secure. You can even step off the deep end and use a Raspberry Pi.
  
  The downside is compatibility.  While you'll be able to find sensors and switches and such, larger items will be more difficult.  Connected refrigerators and smart door locks are usually locked to the manufacturer's cloud and won't integrate with a home built jury-rigged system.
  
  
• Use an existing 'ecosystem'.  Here we're talking about something like Apple's HomeKit, Google's Brillo/Weeve/Works-with-Nest, AT&T's Digital Life, Comcast's Xfinity Home, and Samsung's SmartThings.  Here the initial heavy lifting is done for you.  There's no need to learn how to open ports on your router or determine the best mesh network for your needs.  Instead, look at the manufacture's list of compatible devices and go.
  
  Here the downside is that you are relying on their cloud security to keep your home secure.  Who are the faceless minions that maintain their servers?  Why might some group of hackers, corporate rival or government want to attack them?  In fact, what is that manufacturer themselves doing with the data that they collect on you?  You don't know.  Even if you read the Terms of Service document, it's really had to know.
  

The real choice here is control versus time/convenience.  Why are you getting in to home automation?  If it's more about security, then roll your own.  On the other hand, if you like the convenience of switching things on and off from around the world, having your TV turn on when you roll into the garage, but don't have the time to delve into nested if-then statements, go for a pre-built platform.

But if you do go for the pre-built system, try to stick to one.  While you can add Alexa to SmartThings to Hue to Nest, each additional service does not double your chance of exposure, it raises the stakes exponentially.

I think I've ground this into the dirt.  Beaten a dead horse.  So I'll end it.  Here.

*My advice should be taken at your own risk.  My sense of responsibility for your actions is a fart in the wind.  That's enough CYA for now.

VR in IRL

And here I am...

This week, Sony announced their VR headset for the PS4 for $399 (sort of).  With the HTC Vive on Steam and the Oculus Rift (oh, and the Samsung Gear VR), there are now a growing number of ways for people to truly immerse themselves in alternative realities.

But... but... what's the point?  Not that this stuff isn't entertaining.  It will be.  Not that there isn't a lot of money to be made in hardware and (even more) in content.  There is.  But how will this affect how we live our lives... in non-virtual reality?

... imprinting on my couch.

There are a few obvious answers that I'll list here just to get them out of the way:

• Couch potato-ness will increase.  Duh.
• Invest in catheter futures.  Bathrooms don't work in VR.
• Invest in pizza robots.  Food doesn't nourish in VR.
• Porn.  Lots of porn.

But what else? Is there anything useful in all of this or is it just for entertainment?  To answer this, I asked my local expert: my Middle-School Daughter (MSD).

Schmoid:  Hey.

MSD:  What?

Schmoid:  How do you see VR helmets being actually useful?

MSD:  Huhn?  Why are you asking me?  You're the one that's supposed to be the tech expert.

Schmoid:  Because I want to see what the next generation thinks they will be doing with this stuff.

MSD:  What evs. [pause while she gets over how weird her dad is]  I guess they would be entertaining.  I could feel like I'm actually in Minecraft.

Schmoid:  Fine, but how is that useful?

MSD:  Because it's awesome.

Schmoid: [giving up on an unwinnable argument] What about school, then?  What if you went to school online and it felt like a classroom?  Would that be useful?  All you'd need to do was get out of bed in the morning and throw a helmet on.

MSD:  Maybe, I guess.  But what about lunch?

Schmoid:  You'd take the helmet off and eat.

MSD:  Dad!  That's not what I meant.  What about talking with my friends?

Schmoid:  You guys would just open another chat and meet for lunch.  Still virtually.

MSD:  And PE?  It would be really awesome if I didn't have to go to PE.

Schmoid:  I'm sure that there would be some form of exercise that you would still have to do.

MSD:  Then... meh.  It would still be school.  But it would be cool if I got an extra hour of sleep.

The One Percent Life

It was from that conversation that I figured out what VR will ultimately do to our actual reality lives.  Those that can afford it will be able to work and collaborate more easily with others that are also VR enabled.

Virtual schools will be able to automate attendance and have all students in a class answer every question asked without having to put one student on the spot.  Grading will be managed by expert systems, asking help from the teacher only on ambiguous input.

For the workplace, cubical farms will become a thing of the past.  Or not as they will be virtual cubical farms where a supervisor will still be able to look out over their floor and know who is doing what.  Meetings can meaningfully involve people from around the globe, unlike the teleconferencing of today.

Trade shows.  My god, trade shows.  No more tired feet and scrambling to hit all of the booths and wait in line to see the latest thing or meet the 'it' person.  And the booths would no longer be bound by the laws of physics.

The worlds of Gibson and Stephenson and The Wachowski siblings (and Ernest Cline because it's hard not to love Ready Player One... oh, and Tad Williams' Otherland books) would all be ours to have.

They why would we ever need to leave the comfort of our homes?  Because there are jobs that support the infrastructure of the suburban VR warrior clan that need to be done in reality: garbage collection, electrical grid maintenance, food preparation, cleaning services, construction, assembly, etc.  Basically, all of the service and support level jobs that are considered blue collar.

Education will be separated into those that can attend the virtual classrooms with their richer experience and those that will still attend an IRL school with their fellow lower income bracketeers.  Work will be segregated into the stay-at-home white collar VR manager and the service workers ensuring that an all-beef patty is available at a moments notice.

The Cake is a Lie

Will this actually happen?  Some of it.  I'm guessing that cubical farms and trade shows will continue to exist in real life, though there may be virtual components to them.  Some schools and meetings will go full VR, but there will always be something lost in the uncanny valley of facial nuance translation that will continue to give face-to-face a premium.

Instead, what VR will do is what all new technology does: emphasize and accelerate many of the details of our existing lives.  Think social media: Facebook did not change the world, but it did allow us to share our worlds with a wider audience.  Smart phones did not change the world, they just let us say the same things we've always been saying to more people in more ways.  VR will do the same.

What will be interesting is which details it ends up emphasizing.

Dim Bulbs

I'm not a fan of Smart Bulbs

There.  I've said it.

It's not their bulbiness, per se.  It is more their hubbiness.  While I understand the need for hubs in a smart home environment, having multiple ones seems a bit much.  Especially ones that are single service hubs.  They connect the bulbs to the network.  They don't connect the bulbs AND the switches and the contact sensors and the thermostat.  Just the bulbs.

Single-Serving Hubs

If smart bulb manufacturers want me to use their product, I'm going to need them to use something a whole lot less proprietary.  A whole lot more inclusive.  I can hear a few of them say that their systems integrate with other, larger ecosystem hubs, but that still requires that the bulb hub (blub?) work in conjunction with the main hub.  Is there something about including Z-Wave or Zigbee or Bluetooth (or, god forbid, 802.11something) into the stalk of the bulb that makes this difficult?  I'm sure I don't know.

(Turns out that Philips does know.  However, while Zigbee is an open(ish) standard, the Hue version may or may not be.)

And that is why, for me, I'm sticking to smart wall switches (currently a mix of WeMo for single switches and GE Z-Wave for three-way switches).  I know, I can't have the bulb alert me through color changes when I've gained (or lost) a subscriber.  Fortunately, I keep a device in my pocket that blinks and chimes whenever that stuff happens.  I can't have that funky VIP lounge lighting effect in my very own living room.  Let's face it, I've never been in a club, much less a club VIP lounge and I would not know what to do with myself if I were.  Probably fall asleep, which is what I do in my living room.  With normal bulbs.

How Many IoT Enthusiasts Does it Take?

The installation is a bit more than screwing in a light bulb (insert ethnic/occupation/gender based bulb joke here).  On the other had, I don't have another hub to figure out and coordinate.  Or another app to jump to or try to fit into Tasker or IFTTT.

I'll 'switch' to smart bulbs when my current LED bulbs burn out.  And I only installed them last year..

Internet of the Least Secure

I Say Securi-Tah, You Say...

One of my favorite Twitter accounts is SecuriTay (@SwiftOnSecurity), purported to be Taylor Swift commenting on the state of consumer data security.  From it, you get gems like:

The author has the same sense of "Yes it's serious, that's why I mock it" that I'm reaching for here.  He/She/It reminds us that the vast majority of us are both as opinionated and clueless as a pop-diva (or actor) at a info-sec convention: that this conversation about how to secure the Internet of Things is over most of our heads.

Even if you manage the user database for a corporate IT system and understand levels of privilege and how to assign them, much of that does not apply to your home life or your social life or your commuting life.  Yet the systems that we are asking to augment (govern) those parts of our lives are generating usable, traceable, exploitable data.  And we are rarely assigned root, or admin, or even power user privileges (just try deleting your FB profile or using YouTube without G+ (though that's changing. Some.))

Won't Someone Think of the Children?

However, because we all have access to the internet and a keyboard or camera or microphone or all three, we feel that we can comment on things that are way over our heads.  Many of those comments as they relate to the Internet of Things are about protecting children and other innocents, those who are not savvy in the ways of the World Wide Web (and other less reputable networks).

And yet... Ultimately, we are all children in this space.

We parents post about our children on FB or Instagram or wherever without thought.  Yet we are concerned about them posting on-line?  We know better?  Maybe.  But by posting, the information is out there: you have a child and at this date they were this old...  For a child predator, this is enough.  Is it enough to outweigh the convenience of instantly sharing your incredible child with your friends and family and basking in the precious likes?  That is left for each of us to decide.  As it should be.  These are supposed to be tools that augment our lives, not limit them.

Love me, Fear me

The truth is that we are living in this on-line space, but it's complexity is becoming unknowable: too many standards, too many variables from this site to that.  How do we deal?  Are we to be governed by fear?  Are we to throw in the towel and let it all hang out?  The answer is somewhere in the middle: be conscious of what you share and where you share it.  Who are you sharing your content with?  If others see this, what will they learn about me from it? Always keep that old saw about seeing IT in the NYT in the back of your mind.

But all of that is generic to our lives on-line.  When dealing with the Internet of Things and a burgeoning Smart Home, the rules are actually simpler:

• Change all of the defaults: usernames, passwords, IP addresses, TCP/IP ports, etc.  Too many people still have an old router with the factory default passwords and that is an opening just screaming to be exploited.  Not doing this is a big reason why sites like Shodan can exist.
• Regularly schedule password changes.  Your work IT support schedules this on a monthly or quarterly basis.  Use that schedule at home.  Or tie it to something that fits with your home: furnace air filter changes or oil changes or haircuts.  
• Don't put anything in your home in a place that you would not be comfortable being sensed by others.  It may seem like a good idea to link an IR sensor to the bathroom light so you don't have to fumble around in the middle of the night, but now someone will know if you are in the bathroom or not.  Maybe you don't want that.  (Maybe you do.  Hey, I'm not judging).

Finally, please keep in mind that the programmers (not the companies who build all this stuff) that build the code for IoT products are usually much more aware of security issues that the federal government.  Which is good.  However, they have to code for the least common denominator.  Which is bad.

Be better than that least common denominator and you should be okay.