Category: Stephen Bryen and Shoshana Bryen

1498460069_at-painter-og-image.png

Can We Make the Internet of Things Secure?


In the simplest terms, Internet of Things (IoT) is the addition of some internet connectivity to everyday objects.  Security cameras, for example, previously had to be hardwired.  Now they are generally WiFi-connected, allowing camera information to be transmitted to the security control system and allowing the security control system to broadcast its collected information to a remote command center or even to a tablet or smartphone.  Then, if the camera has PTZ (pan, tilt, and zoom) functions, the user can redirect the camera, zoom in on an anomaly, or follow an object.

There is hardly a new product that does not try in some way to offer IoT capability.  The simplest products gather information from the broader internet and relay it to the user.  A “smart” refrigerator can tell you when your grapes are getting low or close to spoilage.  It can order grapes for you and have them delivered, or tell you where grapes are on sale and how close to your house the sale is.  A “smart” TV can search out genres of programs for you based on preferences you pre-load, or by deriving recommendations by tracking your use behavior on the internet.  A “smart” TV can become a point of sale device linked to Amazon, eBay or other outlets, letting you order on impulse while watching your favorite sports or house-hunting program. (“We can deliver a pizza now!”  “How about calling Joe at Friendly Realty?  He can find you a great home at a terrific price.”)

As artificial intelligence (A.I.) gains ground, home and business assistants will answer your questions or even make suggestions.  Alexa from Amazon already has a large user base, with Google and Apple coming along.  “Would you like me to turn on the lights downstairs as it is past 9PM?”  “Can I recommend a really great restaurant that just opened near you?  I can make a reservation for you; just tell me when you would like to try it.”  Or “Keep in mind that you need to take into account local taxes when figuring prices for your latest product.  Do you want me to calculate that for you?”

Intelligent assistants will start doing a lot of the work that paid help once provided, will do it 24×7 without complaint, with minimal overhead, and will not only be cost-effective, but can also be a profit center.  For example, a really great sales digital assistant will not only call customers, but be capable of managing a conversation, promoting new offers, providing technical help, and even asking for customer opinions and integrating findings into a master package for the company.  These go far beyond current-day answering systems. (“Press 1 if you want to speak to a nurse, 2 to make an appointment, or 3 to collect the dead body.”)

This is an environment wide open to mischief, and the mischief is starting.  Suppose I turn on your smart TV camera (yes, you have one) and record activity without your knowledge.  Suppose I misdirect your GPS and send you off in the wrong direction or to the wrong destination.  Suppose I create a fake traffic jam ahead (this has already been done) and make you take a dead-end detour.  Suppose I order products you did not buy.  Or deliver a pizza, an Uber, or a new car to your front door.

And that’s only the beginning.  Suppose I invite you to a meeting at a certain time and use it to carry out a kidnapping or worse.  Now we are getting to the really dirty stuff.

The truth is that, aside from your common sense, there isn’t much to prevent the misuse of IoT.  In fact, most IoT devices are intentionally not secure.  They don’t require a user ID, and they have no built in system to sense outrageous or fake commands.  There are no security standards for IoT devices and none known to be in the works.  Most of the hardware and local software for these devices is produced offshore, creating countless opportunities to plant bugs into IoT systems, as already has happened with smartphones.

But even lacking rudimentary security, IoT systems will gain significant market share.  People want them even though they are security hazards.  So how do you get security into devices that are inherently risky?  

It is possible to create protections in hardware by introducing some biometric access tools – e.g., face or voice recognition.  This will make it harder to get into these devices locally (the place where they are actually used), but if the devices are used remotely (e.g., for turning on the heat or checking on the babysitter), biometric security won’t accomplish a great deal.  

Because people using IoT are churning out large amounts of actionable data (like your pizza preference) and because that information can be captured and exploited without your authorization, there is an enormous privacy issue looming.  While they naturally claim to protect your privacy, companies including Google and Yahoo can scan your email to extract your preferences and then use that information directly for their own marketing or sell to others.  This is called “monetizing privacy,” and there are no rules or standards that protect individuals. 

It follows, then, that IoT providers have to become truly responsible for security.

The answer is not only in technology, although IoT clearly needs a verification system; the courts will be increasingly important in determining the rules for future internet privacy.  In general, American courts have not been friendly to privacy issues, partly because there were national security questions and the court understood that government needed information to prevent terrorism.  But with personal use of IoT exploding, there needs to be a rebalancing, and there has lately been a shift in court attitudes. 

If the rules for IoT change, the technology will follow.

In the simplest terms, Internet of Things (IoT) is the addition of some internet connectivity to everyday objects.  Security cameras, for example, previously had to be hardwired.  Now they are generally WiFi-connected, allowing camera information to be transmitted to the security control system and allowing the security control system to broadcast its collected information to a remote command center or even to a tablet or smartphone.  Then, if the camera has PTZ (pan, tilt, and zoom) functions, the user can redirect the camera, zoom in on an anomaly, or follow an object.

There is hardly a new product that does not try in some way to offer IoT capability.  The simplest products gather information from the broader internet and relay it to the user.  A “smart” refrigerator can tell you when your grapes are getting low or close to spoilage.  It can order grapes for you and have them delivered, or tell you where grapes are on sale and how close to your house the sale is.  A “smart” TV can search out genres of programs for you based on preferences you pre-load, or by deriving recommendations by tracking your use behavior on the internet.  A “smart” TV can become a point of sale device linked to Amazon, eBay or other outlets, letting you order on impulse while watching your favorite sports or house-hunting program. (“We can deliver a pizza now!”  “How about calling Joe at Friendly Realty?  He can find you a great home at a terrific price.”)

As artificial intelligence (A.I.) gains ground, home and business assistants will answer your questions or even make suggestions.  Alexa from Amazon already has a large user base, with Google and Apple coming along.  “Would you like me to turn on the lights downstairs as it is past 9PM?”  “Can I recommend a really great restaurant that just opened near you?  I can make a reservation for you; just tell me when you would like to try it.”  Or “Keep in mind that you need to take into account local taxes when figuring prices for your latest product.  Do you want me to calculate that for you?”

Intelligent assistants will start doing a lot of the work that paid help once provided, will do it 24×7 without complaint, with minimal overhead, and will not only be cost-effective, but can also be a profit center.  For example, a really great sales digital assistant will not only call customers, but be capable of managing a conversation, promoting new offers, providing technical help, and even asking for customer opinions and integrating findings into a master package for the company.  These go far beyond current-day answering systems. (“Press 1 if you want to speak to a nurse, 2 to make an appointment, or 3 to collect the dead body.”)

This is an environment wide open to mischief, and the mischief is starting.  Suppose I turn on your smart TV camera (yes, you have one) and record activity without your knowledge.  Suppose I misdirect your GPS and send you off in the wrong direction or to the wrong destination.  Suppose I create a fake traffic jam ahead (this has already been done) and make you take a dead-end detour.  Suppose I order products you did not buy.  Or deliver a pizza, an Uber, or a new car to your front door.

And that’s only the beginning.  Suppose I invite you to a meeting at a certain time and use it to carry out a kidnapping or worse.  Now we are getting to the really dirty stuff.

The truth is that, aside from your common sense, there isn’t much to prevent the misuse of IoT.  In fact, most IoT devices are intentionally not secure.  They don’t require a user ID, and they have no built in system to sense outrageous or fake commands.  There are no security standards for IoT devices and none known to be in the works.  Most of the hardware and local software for these devices is produced offshore, creating countless opportunities to plant bugs into IoT systems, as already has happened with smartphones.

But even lacking rudimentary security, IoT systems will gain significant market share.  People want them even though they are security hazards.  So how do you get security into devices that are inherently risky?  

It is possible to create protections in hardware by introducing some biometric access tools – e.g., face or voice recognition.  This will make it harder to get into these devices locally (the place where they are actually used), but if the devices are used remotely (e.g., for turning on the heat or checking on the babysitter), biometric security won’t accomplish a great deal.  

Because people using IoT are churning out large amounts of actionable data (like your pizza preference) and because that information can be captured and exploited without your authorization, there is an enormous privacy issue looming.  While they naturally claim to protect your privacy, companies including Google and Yahoo can scan your email to extract your preferences and then use that information directly for their own marketing or sell to others.  This is called “monetizing privacy,” and there are no rules or standards that protect individuals. 

It follows, then, that IoT providers have to become truly responsible for security.

The answer is not only in technology, although IoT clearly needs a verification system; the courts will be increasingly important in determining the rules for future internet privacy.  In general, American courts have not been friendly to privacy issues, partly because there were national security questions and the court understood that government needed information to prevent terrorism.  But with personal use of IoT exploding, there needs to be a rebalancing, and there has lately been a shift in court attitudes. 

If the rules for IoT change, the technology will follow.



Source link

at-painter-og-image.png

Why Did Assad use Nerve Gas?


It is hard to explain why Bashar Assad used nerve gas — probably Sarin — in the town of Khan Sheikhoun in Syria’s northern Idlib province. On the surface, at least, it would seem to be a totally counterproductive and reckless move likely to anger the Europeans, the Americans, and even his patrons the Russians. Then why would he do it?

It was a surprise, coming as it did immediately after U.S. Ambassador Nikki Haley announced that “regime change” in Syria was no longer a priority and the U.S. focus would be on ISIS. This was a major change from the Obama administration and should have reassured Assad that he could hang on as ruler of Syria. But some pundits saw the U.S. policy shift as a perverse incentive for Assad, making it possible for him to believe he could use highly lethal chemical weapons without fear of retaliation. The Sarin would thus be a test of whether the new policy was real. To some degree, the announcement by the British prime minister that the UK had no retaliatory plans despite the attack might seem to be evidence for this argument.

It is a considerable stretch, though, to think Assad would use chemical weapons to test an American policy shift, particularly because this particular shift would have helped Assad and the Alawite minority cut a final deal that preserved their domination. It is doubtful that is the explanation.

The more likely truth is that Assad was deeply afraid that the U.S. policy shift was part of a secret deal with the Russians, one that he had to head off.

In 2014, after the first documented government use of chemicals against the Syrian population, Russia and the United States struck a deal for the removal and liquidation of Assad’s Sarin and other chemical stocks. Part of the importance of the deal lay in the fact that it was negotiated directly between Russia’s foreign minister and America’s secretary of state, making Russia and the United States the high-level guarantors of Assad’s compliance. There was not much compliance, actually — UN Secretary General Ban Ki Moon said chemical stocks remained and 5 of 12 chemical plants were still operating months after the disposal was supposed to have occurred. But regardless of what they knew (and regardless of Assad’s use of chlorine gas), the deal was considered a success until Khan Sheikhoun. This first use of Sarin since the agreement poses a direct challenge to both countries, but especially to Russia.

Why? The answer is that Assad, as paranoid as he surely is, suspected that the administration’s announcement on regime change policy was an opening bid by the United States to cut a deal with the Russians on a general Syrian settlement. Syrian policy makers could easily construe the FBI’s ongoing investigations in Washington as proof of a Trump-Putin alliance. And that would be terrifying.

Russia has been looking for a way out of the Syrian war that would preserve Russian bases and political power. But its attempt to get a deal failed when both the regime and the rebels basically disowned the idea of a negotiated settlement. In addition, Russian support for Kurdish autonomy in Syria angered Assad almost as much as it did Turkey. From Assad’s point of view, he is hostage to the whims of the Russians and their surrogates, primarily Iran. He may see his regime being sold out, or Syria cantonized into ethnic enclaves (which was actually Russia’s plan), which would appear to him ever more likely if the U.S. and Russia were colluding. 

Even the Syrians read newspapers, and they could conclude (as the Democrats in the U.S. and some Republicans like John McCain are trying hard to promote) that President Trump is in league with Putin. In Syria, conspiracies are the staff of life, mother’s milk, the air you breathe — even if they are nonsense.

The Russians have been scrambling to come up with some way to explain how the Sarin came to be used, first claiming there were no Syrian government planes in the area. If that were the truth, the Russians would have brought out radar track maps (easily available) to prove their case. No tracks, no planes. One can assume the Russians did not show evidence because it would did not support the claim.

It took the Russians nearly 48 hours to come up with what they believed might be a plausible argument — for the gullible, at least. Essentially acknowledging Syrian aircraft in the region, they said a Syrian rocket hit a warehouse where the rebels were stockpiling chemical weapons. The chemicals then leaked, killing the civilians in Khan Sheikhoun. So far at least, most governments and the UN have rejected the story as unconvincing and fabricated.  In practical terms, nerve gas dissipates fairly quickly and is not persistent — and there is scant evidence that the rebels in Syria have any. And that would not account for the subsequent attack on a hospital treating victims of the Sarin attack.

Considered from this angle, Assad’s return to bombing targets with Sarin nerve gas may have been intended to demonstrate independence from both superpowers and make it nearly impossible for an engineered settlement to be imposed on the regime. With the U.S. angry and up in arms, and the Russians forced to defend their indefensible client, the sacrifice of some hapless civilians could have been, in Assad’s view, a cynically effective way to hold off the dogs. For now.

It is hard to explain why Bashar Assad used nerve gas — probably Sarin — in the town of Khan Sheikhoun in Syria’s northern Idlib province. On the surface, at least, it would seem to be a totally counterproductive and reckless move likely to anger the Europeans, the Americans, and even his patrons the Russians. Then why would he do it?

It was a surprise, coming as it did immediately after U.S. Ambassador Nikki Haley announced that “regime change” in Syria was no longer a priority and the U.S. focus would be on ISIS. This was a major change from the Obama administration and should have reassured Assad that he could hang on as ruler of Syria. But some pundits saw the U.S. policy shift as a perverse incentive for Assad, making it possible for him to believe he could use highly lethal chemical weapons without fear of retaliation. The Sarin would thus be a test of whether the new policy was real. To some degree, the announcement by the British prime minister that the UK had no retaliatory plans despite the attack might seem to be evidence for this argument.

It is a considerable stretch, though, to think Assad would use chemical weapons to test an American policy shift, particularly because this particular shift would have helped Assad and the Alawite minority cut a final deal that preserved their domination. It is doubtful that is the explanation.

The more likely truth is that Assad was deeply afraid that the U.S. policy shift was part of a secret deal with the Russians, one that he had to head off.

In 2014, after the first documented government use of chemicals against the Syrian population, Russia and the United States struck a deal for the removal and liquidation of Assad’s Sarin and other chemical stocks. Part of the importance of the deal lay in the fact that it was negotiated directly between Russia’s foreign minister and America’s secretary of state, making Russia and the United States the high-level guarantors of Assad’s compliance. There was not much compliance, actually — UN Secretary General Ban Ki Moon said chemical stocks remained and 5 of 12 chemical plants were still operating months after the disposal was supposed to have occurred. But regardless of what they knew (and regardless of Assad’s use of chlorine gas), the deal was considered a success until Khan Sheikhoun. This first use of Sarin since the agreement poses a direct challenge to both countries, but especially to Russia.

Why? The answer is that Assad, as paranoid as he surely is, suspected that the administration’s announcement on regime change policy was an opening bid by the United States to cut a deal with the Russians on a general Syrian settlement. Syrian policy makers could easily construe the FBI’s ongoing investigations in Washington as proof of a Trump-Putin alliance. And that would be terrifying.

Russia has been looking for a way out of the Syrian war that would preserve Russian bases and political power. But its attempt to get a deal failed when both the regime and the rebels basically disowned the idea of a negotiated settlement. In addition, Russian support for Kurdish autonomy in Syria angered Assad almost as much as it did Turkey. From Assad’s point of view, he is hostage to the whims of the Russians and their surrogates, primarily Iran. He may see his regime being sold out, or Syria cantonized into ethnic enclaves (which was actually Russia’s plan), which would appear to him ever more likely if the U.S. and Russia were colluding. 

Even the Syrians read newspapers, and they could conclude (as the Democrats in the U.S. and some Republicans like John McCain are trying hard to promote) that President Trump is in league with Putin. In Syria, conspiracies are the staff of life, mother’s milk, the air you breathe — even if they are nonsense.

The Russians have been scrambling to come up with some way to explain how the Sarin came to be used, first claiming there were no Syrian government planes in the area. If that were the truth, the Russians would have brought out radar track maps (easily available) to prove their case. No tracks, no planes. One can assume the Russians did not show evidence because it would did not support the claim.

It took the Russians nearly 48 hours to come up with what they believed might be a plausible argument — for the gullible, at least. Essentially acknowledging Syrian aircraft in the region, they said a Syrian rocket hit a warehouse where the rebels were stockpiling chemical weapons. The chemicals then leaked, killing the civilians in Khan Sheikhoun. So far at least, most governments and the UN have rejected the story as unconvincing and fabricated.  In practical terms, nerve gas dissipates fairly quickly and is not persistent — and there is scant evidence that the rebels in Syria have any. And that would not account for the subsequent attack on a hospital treating victims of the Sarin attack.

Considered from this angle, Assad’s return to bombing targets with Sarin nerve gas may have been intended to demonstrate independence from both superpowers and make it nearly impossible for an engineered settlement to be imposed on the regime. With the U.S. angry and up in arms, and the Russians forced to defend their indefensible client, the sacrifice of some hapless civilians could have been, in Assad’s view, a cynically effective way to hold off the dogs. For now.



Source link