You Have Already Lost

IoT Security, take 2 (at least)

A couple of weeks ago, I took a stab at the current buzz issue dealing with the Internet of Things: Security.  The bottom line from that attempt: update the defaults and you don't have anything to worry about*.

After reading many articles on IoT security, I feel that I may need to amend that rather blithe recommendation.  With all of the information that corporations, governments, and service level workers have on each of us, your security is no longer in just your hands.  You are now at the mercy of whatever information security policies that all of those entities have put in place.  The result:

You have already been compromised.

And it is not even your fault because it is almost impossible to live in a western, first world economy and avoid having your personal information stolen.through your security.  Think of all of the ways that we offer our information to people without vetting their ability to protect it:

• We hand our credit cards to waitstaff who then walk away to a back room and do who-knows-what.
• We trust that there is nothing funny with the ATM or credit card reader whenever we swipe.
• We give our address and other payment information to credit card companies, on-line shopping sites and other places and assume that they have policies in place.  That's turned out well for Target, Sony and several others.
• We set up our personal email accounts with large corporations who make their money by selling our information (albeit at one remove) to other large corporations who want to sell us something.
• We trust our government with our information.  A government whose own level of bureaucratic  security is no match for the military grade attacks that it is receiving.  For that matter, the government itself is looking to ensure that all of our security is delicately compromised, though only they will have the key (#sure).

Not doing these things is all but impossible in an advanced economy.  What's even worse is that as soon as one security hole is patched, another appears.  This is a 'warhead versus wall' paradigm ('para-dig-em') and the warhead always wins.

What is a person to do?

There are several options.  First, you can cut all ties with technology and live in the wilderness and ignorance scared of Those-Who-Must-Not-Be-Named.  If you are like me, this is not an option worth considering.  How can I chill without NetFlix?  Who would I call out to for my music?  #notgoingtohappen.

What else, then?  Most of the big data security breaches have been to gather personal information so that thieves can steal identities and make purchases using credit cards or bank info.  Only some of that is relevant to the Internet of Things and SmartHome technology.  The best way to deal with a fight you've already lost is to have a plan and know what to do ahead of time.

Securing Your Security

What is relevant to IoT and home automation is planning.  When starting out with your SmartHome system, there are two basic approaches:

• Roll your own.  This approach assumes that you are setting up your own servers, cloud and doing most of the pairing and integration work yourself.  Programs like HomeSeer and OpenHAB rely on you to do more of the work, but also allow many more levels of customization and, because they are local and generally not tied to a large corporate server, more secure. You can even step off the deep end and use a Raspberry Pi.
  
  The downside is compatibility.  While you'll be able to find sensors and switches and such, larger items will be more difficult.  Connected refrigerators and smart door locks are usually locked to the manufacturer's cloud and won't integrate with a home built jury-rigged system.
  
  
• Use an existing 'ecosystem'.  Here we're talking about something like Apple's HomeKit, Google's Brillo/Weeve/Works-with-Nest, AT&T's Digital Life, Comcast's Xfinity Home, and Samsung's SmartThings.  Here the initial heavy lifting is done for you.  There's no need to learn how to open ports on your router or determine the best mesh network for your needs.  Instead, look at the manufacture's list of compatible devices and go.
  
  Here the downside is that you are relying on their cloud security to keep your home secure.  Who are the faceless minions that maintain their servers?  Why might some group of hackers, corporate rival or government want to attack them?  In fact, what is that manufacturer themselves doing with the data that they collect on you?  You don't know.  Even if you read the Terms of Service document, it's really had to know.
  

The real choice here is control versus time/convenience.  Why are you getting in to home automation?  If it's more about security, then roll your own.  On the other hand, if you like the convenience of switching things on and off from around the world, having your TV turn on when you roll into the garage, but don't have the time to delve into nested if-then statements, go for a pre-built platform.

But if you do go for the pre-built system, try to stick to one.  While you can add Alexa to SmartThings to Hue to Nest, each additional service does not double your chance of exposure, it raises the stakes exponentially.

I think I've ground this into the dirt.  Beaten a dead horse.  So I'll end it.  Here.

*My advice should be taken at your own risk.  My sense of responsibility for your actions is a fart in the wind.  That's enough CYA for now.

VR in IRL

And here I am...

This week, Sony announced their VR headset for the PS4 for $399 (sort of).  With the HTC Vive on Steam and the Oculus Rift (oh, and the Samsung Gear VR), there are now a growing number of ways for people to truly immerse themselves in alternative realities.

But... but... what's the point?  Not that this stuff isn't entertaining.  It will be.  Not that there isn't a lot of money to be made in hardware and (even more) in content.  There is.  But how will this affect how we live our lives... in non-virtual reality?

... imprinting on my couch.

There are a few obvious answers that I'll list here just to get them out of the way:

• Couch potato-ness will increase.  Duh.
• Invest in catheter futures.  Bathrooms don't work in VR.
• Invest in pizza robots.  Food doesn't nourish in VR.
• Porn.  Lots of porn.

But what else? Is there anything useful in all of this or is it just for entertainment?  To answer this, I asked my local expert: my Middle-School Daughter (MSD).

Schmoid:  Hey.

MSD:  What?

Schmoid:  How do you see VR helmets being actually useful?

MSD:  Huhn?  Why are you asking me?  You're the one that's supposed to be the tech expert.

Schmoid:  Because I want to see what the next generation thinks they will be doing with this stuff.

MSD:  What evs. [pause while she gets over how weird her dad is]  I guess they would be entertaining.  I could feel like I'm actually in Minecraft.

Schmoid:  Fine, but how is that useful?

MSD:  Because it's awesome.

Schmoid: [giving up on an unwinnable argument] What about school, then?  What if you went to school online and it felt like a classroom?  Would that be useful?  All you'd need to do was get out of bed in the morning and throw a helmet on.

MSD:  Maybe, I guess.  But what about lunch?

Schmoid:  You'd take the helmet off and eat.

MSD:  Dad!  That's not what I meant.  What about talking with my friends?

Schmoid:  You guys would just open another chat and meet for lunch.  Still virtually.

MSD:  And PE?  It would be really awesome if I didn't have to go to PE.

Schmoid:  I'm sure that there would be some form of exercise that you would still have to do.

MSD:  Then... meh.  It would still be school.  But it would be cool if I got an extra hour of sleep.

The One Percent Life

It was from that conversation that I figured out what VR will ultimately do to our actual reality lives.  Those that can afford it will be able to work and collaborate more easily with others that are also VR enabled.

Virtual schools will be able to automate attendance and have all students in a class answer every question asked without having to put one student on the spot.  Grading will be managed by expert systems, asking help from the teacher only on ambiguous input.

For the workplace, cubical farms will become a thing of the past.  Or not as they will be virtual cubical farms where a supervisor will still be able to look out over their floor and know who is doing what.  Meetings can meaningfully involve people from around the globe, unlike the teleconferencing of today.

Trade shows.  My god, trade shows.  No more tired feet and scrambling to hit all of the booths and wait in line to see the latest thing or meet the 'it' person.  And the booths would no longer be bound by the laws of physics.

The worlds of Gibson and Stephenson and The Wachowski siblings (and Ernest Cline because it's hard not to love Ready Player One... oh, and Tad Williams' Otherland books) would all be ours to have.

They why would we ever need to leave the comfort of our homes?  Because there are jobs that support the infrastructure of the suburban VR warrior clan that need to be done in reality: garbage collection, electrical grid maintenance, food preparation, cleaning services, construction, assembly, etc.  Basically, all of the service and support level jobs that are considered blue collar.

Education will be separated into those that can attend the virtual classrooms with their richer experience and those that will still attend an IRL school with their fellow lower income bracketeers.  Work will be segregated into the stay-at-home white collar VR manager and the service workers ensuring that an all-beef patty is available at a moments notice.

The Cake is a Lie

Will this actually happen?  Some of it.  I'm guessing that cubical farms and trade shows will continue to exist in real life, though there may be virtual components to them.  Some schools and meetings will go full VR, but there will always be something lost in the uncanny valley of facial nuance translation that will continue to give face-to-face a premium.

Instead, what VR will do is what all new technology does: emphasize and accelerate many of the details of our existing lives.  Think social media: Facebook did not change the world, but it did allow us to share our worlds with a wider audience.  Smart phones did not change the world, they just let us say the same things we've always been saying to more people in more ways.  VR will do the same.

What will be interesting is which details it ends up emphasizing.

Dim Bulbs

I'm not a fan of Smart Bulbs

There.  I've said it.

It's not their bulbiness, per se.  It is more their hubbiness.  While I understand the need for hubs in a smart home environment, having multiple ones seems a bit much.  Especially ones that are single service hubs.  They connect the bulbs to the network.  They don't connect the bulbs AND the switches and the contact sensors and the thermostat.  Just the bulbs.

Single-Serving Hubs

If smart bulb manufacturers want me to use their product, I'm going to need them to use something a whole lot less proprietary.  A whole lot more inclusive.  I can hear a few of them say that their systems integrate with other, larger ecosystem hubs, but that still requires that the bulb hub (blub?) work in conjunction with the main hub.  Is there something about including Z-Wave or Zigbee or Bluetooth (or, god forbid, 802.11something) into the stalk of the bulb that makes this difficult?  I'm sure I don't know.

(Turns out that Philips does know.  However, while Zigbee is an open(ish) standard, the Hue version may or may not be.)

And that is why, for me, I'm sticking to smart wall switches (currently a mix of WeMo for single switches and GE Z-Wave for three-way switches).  I know, I can't have the bulb alert me through color changes when I've gained (or lost) a subscriber.  Fortunately, I keep a device in my pocket that blinks and chimes whenever that stuff happens.  I can't have that funky VIP lounge lighting effect in my very own living room.  Let's face it, I've never been in a club, much less a club VIP lounge and I would not know what to do with myself if I were.  Probably fall asleep, which is what I do in my living room.  With normal bulbs.

How Many IoT Enthusiasts Does it Take?

The installation is a bit more than screwing in a light bulb (insert ethnic/occupation/gender based bulb joke here).  On the other had, I don't have another hub to figure out and coordinate.  Or another app to jump to or try to fit into Tasker or IFTTT.

I'll 'switch' to smart bulbs when my current LED bulbs burn out.  And I only installed them last year..

Internet of the Least Secure

I Say Securi-Tah, You Say...

One of my favorite Twitter accounts is SecuriTay (@SwiftOnSecurity), purported to be Taylor Swift commenting on the state of consumer data security.  From it, you get gems like:

The author has the same sense of "Yes it's serious, that's why I mock it" that I'm reaching for here.  He/She/It reminds us that the vast majority of us are both as opinionated and clueless as a pop-diva (or actor) at a info-sec convention: that this conversation about how to secure the Internet of Things is over most of our heads.

Even if you manage the user database for a corporate IT system and understand levels of privilege and how to assign them, much of that does not apply to your home life or your social life or your commuting life.  Yet the systems that we are asking to augment (govern) those parts of our lives are generating usable, traceable, exploitable data.  And we are rarely assigned root, or admin, or even power user privileges (just try deleting your FB profile or using YouTube without G+ (though that's changing. Some.))

Won't Someone Think of the Children?

However, because we all have access to the internet and a keyboard or camera or microphone or all three, we feel that we can comment on things that are way over our heads.  Many of those comments as they relate to the Internet of Things are about protecting children and other innocents, those who are not savvy in the ways of the World Wide Web (and other less reputable networks).

And yet... Ultimately, we are all children in this space.

We parents post about our children on FB or Instagram or wherever without thought.  Yet we are concerned about them posting on-line?  We know better?  Maybe.  But by posting, the information is out there: you have a child and at this date they were this old...  For a child predator, this is enough.  Is it enough to outweigh the convenience of instantly sharing your incredible child with your friends and family and basking in the precious likes?  That is left for each of us to decide.  As it should be.  These are supposed to be tools that augment our lives, not limit them.

Love me, Fear me

The truth is that we are living in this on-line space, but it's complexity is becoming unknowable: too many standards, too many variables from this site to that.  How do we deal?  Are we to be governed by fear?  Are we to throw in the towel and let it all hang out?  The answer is somewhere in the middle: be conscious of what you share and where you share it.  Who are you sharing your content with?  If others see this, what will they learn about me from it? Always keep that old saw about seeing IT in the NYT in the back of your mind.

But all of that is generic to our lives on-line.  When dealing with the Internet of Things and a burgeoning Smart Home, the rules are actually simpler:

• Change all of the defaults: usernames, passwords, IP addresses, TCP/IP ports, etc.  Too many people still have an old router with the factory default passwords and that is an opening just screaming to be exploited.  Not doing this is a big reason why sites like Shodan can exist.
• Regularly schedule password changes.  Your work IT support schedules this on a monthly or quarterly basis.  Use that schedule at home.  Or tie it to something that fits with your home: furnace air filter changes or oil changes or haircuts.  
• Don't put anything in your home in a place that you would not be comfortable being sensed by others.  It may seem like a good idea to link an IR sensor to the bathroom light so you don't have to fumble around in the middle of the night, but now someone will know if you are in the bathroom or not.  Maybe you don't want that.  (Maybe you do.  Hey, I'm not judging).

Finally, please keep in mind that the programmers (not the companies who build all this stuff) that build the code for IoT products are usually much more aware of security issues that the federal government.  Which is good.  However, they have to code for the least common denominator.  Which is bad.

Be better than that least common denominator and you should be okay.

What IoT Is

Stuff.  Small stuff.

Really, it's not the Internet of Things (or Stuff), but the Internet of Small.  And it can all be blamed on Moore's Law: more computing in smaller spaces consuming less electricity means processing can be fitted into more... things.

But why, you may ask, does anyone want to fit computing/processing/connecting into things?  There are two basic answers:

1. Because it allows those things to react to changes in their environment.  They can turn on or off based on the presence of a particular smartphone or changes in the time of day or temperature or motion.  Some can change color or alert us.  Others can warm up or cool down. By adding Systems-On-a-Chip (SOC) to everything from cars to toothbrushes, they can react to these changes so that we don't have to waste our precious grey cells telling them to do things that are obvious to us.
2. Because it is marketable to connect stuff to the web.  People like to buy things that connect because it makes them feel 'cutting edge'.  More importantly, it allows manufacturers (and even less scrupulous entities) to gather information on how you use their things so that they can do a better job of making the next generation (really market more accurately to you).  Or selling you timely refills.

Stuff.  Connected stuff.

Stuffing computer power in small things is only part of this whole mess.  It's using that computing power to connect those small things to each other and to larger things that really makes it work.  That wall switch with a computer as powerful as the Apollo missions is only useful if it can react to:

• Changes in its environment, so it needs to be connected to sensors.  Then it can turn on automatically when the room gets dim.
• Changes in occupancy, so it needs to be connected to the local network.  So it will only turn on in a dim room when someone is actually in it.
• Changes in owner desires, both at home and abroad, so it needs to be connected to the larger internet.  So parents can turn off the bedroom light that the child left on (again), having overridden all of the dim-room/occupancy BS set by the parents.

Stuff.  (Semi) Secure Stuff.

If computing devices can fit into a wall switch or a toaster, why not a lock or a garage opener?  Now, we can check to make sure that we remembered to close the garage from work.  We can let our mother-in-law in (or not) to water the plants from out of state.  We can be alerted to fires and floods and gas leaks while on the other side of the planet (where we can do sooo much about it).

The catch is, that if we connect our home up to allow us to do these things, what's preventing others from doing it to our home as well?  IoT security, especially non-enterprise, consumer grade security is currently an open question in the Internet of Things.  Much can be solved by changing the default passwords and other settings on both the home Wi-Fi router, smarthome hubs, or locks.  But not all.  Not to worry, though.  Any determined thief can still get into your house by de-fenestrating some hardened sediment.

Stuff. So. Much. Stuff.

But locks and lights and thermostats and smoke detectors and window sensors are only the beginning of all this.  Industry is using IoT to do inventory control and monitor manufacturing and employees, everything with sensors and every sensor connected.  And if we can track an employee, why not track the state of the office coffee pot?  Or your fish at home?  Or your plants?

Everything in the developed world is slowly getting connected via bluetooth, mesh-networks and, ultimately, to the internet.  So many things.  So much stuff.  All connected.  All sensing.  What will we do with all of this data?

It's enough to make you want to hug your teddy bear.  You know, the one that's connected to your therapist.


That's it for ground work.  Next week, some actual opinion on current state stuff.

And So IoS Begins

Hello.

Welcome to the Internet of Schmoid.  A blog about... stuff I'm interested in.  Mostly connected devices aimed at the retail/e-tail consumer though I reserve the right to write about almost anything:

Cars, cordcutting, ISPs, DIY projects (and not just Raspberry Pi and Arduino things, but also more basic home improvement and anything else that I'm proud of), renewable energy, TV shows, books, and writing.

I'll try (not very hard) to stay away from Politics and Religion (P&R from here on out), not because I'm afraid of offending anyone, but because I don't have firm beliefs on either and don't care to.

I intend to be irreverent about these topics.  Snarky.  I believe that if you can't make fun of something (and there's always something to make fun of), then it isn't worth caring about.  I certainly include myself in the list of targets (so I can love myself? Eh, I'll go with it) as it is a first-person perspective on these things and I am far from infallible.  I invite you to comment and tell me just how infallible I am being (and also invite you to offer more than criticism and include a better path).

So what gives me the right to comment/post/blog/put-myself-out-there on connected devices?  Mostly, because I have a keyboard and internet connection and know (sort of) how to use them.  Also, I've spent more than twenty years in consumer electronics, first working retail show floors and then working for a multi-national CE manufacturer.  I'll spare naming them as I'm not sure that they would appreciate it (and they can afford better lawyers than I can).  It also allows me to both praise and criticism them and appear moderately objective (though I think objectivity may have already gone out the window.  An automated window with transparent LCD displays and solar glass, but it still opens and objectivity can still be defenestrated).  I'm sure that with a little internet sleuthing, you can figure it all out.  But what's the point?  That's not who I am here.

I'll try to have new posts out weekly.  Try hard.  The focus will be on what's been going on the previous week that I feel is noteworthy and fits the 'flow' of the post.  Some topics I hope to cover in the opening months include:

• How I define the Internet of Things
• Augmented Reality vs. Virtual Reality: why not both?
• SmartHome Security: A Reality Check
• Home IoT platforms: what I've used and why
• The Smart Grid: what, when and who cares?

If there's something else that you'd like me to comment on, please leave a note in the comments.

That's it for now.

Schmoid.