Would you want your cousin using a connected oven?

Recently my cousin installed a smart oven into her home. It is top of the line. She wrote on social media that it texted her to tell her that it needed to clean itself, which it did before her second cup of coffee. How cool is that?

I immediately feared for her safety. Here is a slightly edited version of what I wrote to her:

IoT is a nice convenience, but there are a few things you should know. First, I guarantee that there are vulnerabilities in the device, even if some have yet to discover them. This is true for *any* connected device. Those vulnerabilities may be exploited at some point. What will happen then?

First, it’s possible that attacker could simply disable the oven. They probably won’t do this unless they are able to communicate with you. But since the oven seems to be sending you messages, it’s possible that they will do this and ransom you to re-enable it. (If that happens, don’t pay.)

Whether or not you can control the oven from the app, don’t think for a moment that hackers won’t be able to gain that level of control. That presents a far more serious risk: a fire, especially if the hackers are able to detect that the cooking temp is supposed to be 350, and turn the thing up to broil or clean.

The other thing that will happen is that the oven will attack other Wifi-enabled devices in your house or elsewhere. If you have a Wifi-enabled thermostat, maybe it will attack that. Some of those devices have cameras and microphones. The attackers aren’t going to be nice about what information they collect. They’re out to make money or worse.

Will any of this happen? Yes – to many people. Am I being paranoid? Maybe a little. Appliance manufacturers may know how to make excellent oven mechanisms, refrigerator compressors, stove top elements, etc, but they generally know very little about Internet security and their risks. Even those who know a lot get it wrong all the time, simply because we’re human.

And so are you gaining any great convenience by having the Wifi turned on, apart from a 5:30am wake up call to let you know that it needs to clean itself? If yes, you have a trade off to make. If not, just disable its darn Wifi.

This is how I feel about technology and the ones I love. Presumably you have some of those. There are definitely times when IoT is necessary, and when convenience is probably worth the risk. But consumers really need to think about this long and hard, and we professionals need to provide them a decent decision framework. I’ll talk about that next.



Shining City Upon a Hill

9/11 has harmed our values. We need to return to them.

I have been struggling with 9/11 for a great many years.

While I lost a cousin, we were not close. I stand in support of my family who were devastated, and who I love, and with my country who was attacked, and who I love. I’m glad we went after OBL and the Taliban in response. But for me to claim that I was a victim of this attack seems a form of self-aggrandizing that is disrespectful to those people who really did suffer. I do not need to light a johrzeit candle for someone who died on that day, but to support those who do.

But I have suffered a loss.

The terrorists who do not deserve naming killed 2,977 people on that day. Another 6,000 were injured. That’s a lot of people to lose in one day to a hateful act. and it required a response. But those criminals cannot be held responsible for harming our ideals. Only we can do that. And so we have done.

A great many of my friends see the attack as victims in such a personal way that it has allowed them to justify acts in our name by our government, without any sense of proportion.

They say, “Never Forget!”

That phrase is holy to me. It means that we should remember the loss of
6 million Jews who died at the hands of a society who accepted hatred and bigotry as an excuse for genocide, and that we should understand the causes of the deaths of those people, and never ever allow it to happen again. To me, it is blasphemous to use the expression in any other context.

In this context, it has been used as an excuse to harm our ideals, the best modern expression of which were said some 30 years ago:

I’ve spoken of the shining city all my political life, but I don’t know if I ever quite communicated what I saw when I said it. But in my mind it was a tall, proud city built on rocks stronger than oceans, wind-swept, God-blessed, and teeming with people of all kinds living in harmony and peace; a city with free ports that hummed with commerce and creativity. And if there had to be city walls, the walls had doors and the doors were open to anyone with the will and the heart to get here. That’s how I saw it, and see it still.

Ronald Reagan, January 11, 1989

Since 2001, the wars in which we engaged have taken the lives of anywhere from 200,000 and 1 million people, and Afghanistan is not much better off than when we went in. But that is nothing to me compared to the mentality that we have taken on, in which we act out of fear, spite, and vengeance, and that we have lost our compassion for those beyond our borders. That so many are scared of the people who come here with nothing but the shirts on their backs shows just how far we have fallen from grace.

On September 13, 2001, I wrote that I saw my lot in life not to be a victim, but to support the victims, to keep calm and carry on. I wanted to do what I could to preserve the shining city on the hill. I still believe all of that, only now, sadly, the goal is restoration.

Most of us are not victims and we have to stop acting like victims. And we have to stop using a victimization mentality as an excuse for vengeful, uncharitable, and bullying behavior.

My hope is that as we approach the 20th anniversary of the attacks, we can begin as a society to reclaim our American ideals, so that we can once again be that Shining City On the Hill.

RFC 8520 on Manufacturer Usage Descriptions Released

Today the RFC Editor released RFC 8519 (the ietf-acl model) and RFC 8520 (Manufacturer Usage Descriptions).  The ACL model provides for a programmatic YANG-based interface that is flexibly extensible.  Manufacturer Usage Descriptions (MUD) extend this model so that manufacturers are in a position to request the network’s assistance.

MUD’s declarative model for manufacturers to describe to customers what network resources their devices are designed to use.  No guessing games are required. Manufacturers use simple abstractions to describe what access a device needs, such as a domain name for cloud-based service, or same-manufacturer or my-controller for local devices.

Even when one doesn’t use automated tools, there is benefit to manufacturers in writing MUD files.  A study by the University of New South Wales found that IoT devices often conflict with enterprise network policies, and that this goes largely unnoticed by administrators who don’t understand the needs of those devices.  What we can say is that if manufacturers do a little bit of work, they and our customers can both derive a whole lot of value from the network.

A fair amount of software already exists for MUD, including the NIST MUD Manager, and the tools built by CIRA, not to mention Cisco’s open source version, and osMUD.org, and commercial versions built by Yikes! and Cisco. Google has implemented a MUD manager as for build management. And of course you can build your own MUD file for your device by going to https://www.mudmaker.org.

MUD is part of a nutritious meal, but it is not the whole meal. Manufacturers should always use best coding practices, and update firmware and software promptly when they learn of vulnerabilities and exploits

Next Steps

It’s time for manufacturers to implement! Protect your devices with MUD!

New Paris Cyber-Accord: Nice words. What comes next?

The accord and Macron’s words are a bit “aspirational”.

Recently France has taken the initiative to produce what they call The Paris Call for Trust and Security.  This call has garnered signatures of  some 57 countries and and several hundred companies and organizations (including that of my own employer).*  What President Macron and others have recognized is that there is a risk of both state and non-state actors interfering in the lives of  everyday people, possibly causing them great harm.

Every day provides a new example of why protection of our institutions is necessary.  This video was made some time ago.  We’d like to think that security of our infrastructure has improved, but Marriott proved us wrong last week, with over half a billion customer records having been stolen.

The Paris Call seems to address itself to these sorts of civilian attacks, which to me is appropriate. In particular, it focuses on the following areas (I’m condensing just a bit):

  • Protection of critical infrastructure,
  • Protection of electoral processes (Gee, I wonder who that is aimed at),
  • IPR protection,
  • Tools development to prevent the spread of malware,
  • No hack-backs, where people attempt to take the offense as a either a defense or a means of deterrence,
  • Acceptance of international norms of behavior.

The Call does not create or call for the creation of any new mechanism to pursue these points, but rather the use of existing mechanisms.  Instead, what we appear to be witnessing is the creation of a voting bloc inside existing multilateral and multi-stakeholder processes, as well as a non-binding commitment among the signatories themselves to pursue these principles.  It’s all motherhood and apple pie until we understand what the actual instantiation of these principles means.  Does it mean, for instance, an end of free software in order to protect content providers?  Will it require content publishers to actively protect all rights of copyright holders, even if those holders are unknown?

Also, should these principles apply equally to civilians and the military ?  Let’s take for example the Stuxnet attack, where some state actor attacked Iran’s nuclear weapons facility.  Should that attack have been prevented by these principles?  To what end?  Helping Iran gain an offensive nuclear capability?  If the choice was a cyberattack against a military installation versus a physical attack, where people would surely die, I’ll take the cyber attack any time.

There is another big topic that isn’t covered.  Right now governments are all struggling with how to handle cross-border law enforcement.  That is- if someone in Jurisdiction A hacks into or uses a computer in Jurisdiction B to attack a person in a third Jurisdiction C,  who can reasonably ask Jurisdiction B for the data?  This is a massive topic that the Council of Europe has been attempting to address for years.  These are knotty issues, because of the limitations on the powers of each country relating to search and seizure.

In short, while this is nice text, it doesn’t seem to me to accomplish much on its own. 

It does seem to be a slap at Russia and China, two  notably absent countries.  Three other notably absent countries are the U.S., Israel, and Iran.  Coincidence?  I think not.


*The views of my employer surely vary from my own today.

Internet Balkanization is here already, Mr. Schmidt.

In the technical community we like to say that the Internet is a network of networks, and that each network is independently operated and controlled. That may be true in some technical sense, but it far from the pragmatic truth.

Today’s New York Times contains an editorial that supports former Google CEO Eric Schmidt’s view that the Internet will balkanize into two – one centered around US/Western values and one around values of China, and indeed it goes farther, to state that there will be three large Internets, where Europe has its own center.

The fact is that this is the world in which we already live.  It is well known that China already has its own Internet, in which all applications can be spied by the government.  With the advent of the GDPR, those of us in Europe have been cut off from a number of non-European web sites because they refuse to comply with Europe’s privacy regulations.  For example, I cannot read the Los Angeles Times from Switzerland.  I get this lovely message:

Unfortunately, our website is currently unavailable in most European countries. We are engaged on the issue and committed to looking at options that support our full range of digital offerings to the EU market. We continue to identify technical compliance solutions that will provide all readers with our award-winning journalism.

And then there are other mini-Internets, such as that of Iran, in which they have attempted to establish their own borders, not only to preserve their culture, but also their security, at least in their view, thanks to such attacks as Stuxnet.

If China can make its own rules, and Europe can establish its own rules, and the U.S. has its own rules, and Iran has its own rules, can we really say that there is a single Internet today?  And how many more Internets will there be tomorrow?

The trend is troubling. 

We Internet geeks also like to highlight The Network Effect, in which the value of the network to each individual increases based on the number of network participants, an effect first observed with telephone networks.  There is a risk that it can operate in reverse: each time the network bifurcates, its value to each participant decreases because of the loss of the participants who are now on separate networks.

Ironically, the capabilities found in China’s network may be very appealing to other countries such as Iran and Saudi Arabia, just as shared values around the needs of law enforcement had previously meant that a single set of lawful intercept capabilities exists in most telecommunications equipment.  This latter example reflected shared societal values of the time.

If you believe that the Internet is a good thing on the whole, then a single Internet is therefore preferable to many bifurcated Internets.  But that value is, at least for the moment, losing to the divergent views that we see reflected in the isolationist policies of the United States, the unilateral policies of Europe, BREXIT, and of course China.  Unless and until the economic effects of the Reverse Network Effect are felt, there is no economic incentive for governments to change their direction.

But be careful.  A new consensus may be forming that some might not like: a number of countries seemingly led by Australia are seeking ways to gain access to personal devices such as iPhones for purposes of law enforcement, with or without strong technical protections.  Do you want to be on that Internet, and perhaps as  importantly, will you have a choice?   Perhaps there will eventually be one Internet, and we may not like it.

One thing is certain: At least for a while, won’t be reading the LA Times.

My views do not necessarily represent those of my employer.

* Artwork: By ProjectManhattan, CC BY-SA 4.0, https://commons.wikimedia.org/w/index.php?curid=39714913