So it's a year today since I left Red Hat. I've taken sole legal ownership of The Cloud Evangelist blog domain that lapsed and am hosting it now on my own server. If you want to know what I'm up to now point your browser at Falanx.com and if you want to read my new blog I launched today visit www.40somethinggeek.com and catch up.
The all enveloping genre that is known already as the Internet of Things is fast becoming labelled as being the fastest threats to emerge on our communal radar. Presenting a disorganised chaos of hard to own and manage assets delivering potentially the biggest and most arduous to secure threat fabrics ever seen in information technology.
Come with me on a trip as we turn the hands of time back to 1934 and to visualise a classification system still in use today, based on decisions made over eighty years ago when technology and communications were in their infancy. Lets explore why to not do something in the near future will destroy the promise of IoT before it has a chance to get started.
Attacks such as those seen on OVH, Brian Krebbs and now DynDns are the very start, without standardisation, without collaboration and concerted effort we may be judged in years to come as squandering opportunities to deliver flexible safe computing for the next generation.
In the 1920s and 1930s communications firms, telegraph companies and emerging radio broadcasters globally were all finding their communal feet. Existing legislation on commerce dating back to the late 1880s in the form of the ICC (The Interstate Commerce Commission) was originally conceived to manage and to counsel and prevent the ambitions of companies across America seeking to monopolise the pace of railtrack and to provide regulations on their running and operation.
The ICC by the 1930s did not scale to take into account the technological revolution that even in its embryonic state showed the promise of making the world smaller overnight. The Post Office with its Telegraph Rights, the ICC, and the Federal Radio Commission all wrapped up and became one with what would be known as the FCC. So in 1934 The Federal Communications Commission was born. North America all of a sudden had an all encompassing standards body, which would blaze a trail for countries all over the world to emulate.
If you turn over any piece of computer equipment in the US and for export (so globally) you will see an FCC rating, the FCC even today being the standards body responsible for standards implementation within its public safety and enforcement role, eighty two years after it’s inception.
Since then we’ve seen other standards bodies, CE - from the European Commission signifying their “New Approach” methodology for device manufacture and testing, UL - Underwriters Laboratories, the EMC standards for electromagnetic devices or EN standards around electrical manufacture and quality assurance. Other countries such as Australia and Canada have other systems too. However, the FCC has stood the test of time for everything from radio broadcast and spectrum management, emergence of telecommunications standards. However when it comes to the Internet of Things it’s legs fall off.
The majority of devices today, that make up the provisioned devices that are thought of as making up the predominance of the IoT global estate are often cheaply manufactured. They're mass produced dime a dozen fast to market appliances. Many mimicking products that are more expensive and playing catchup with cloned or copied devices. Many use commodity small footprint OS that may once have found their basis in Linux and Open Source communities but have been sufficiently bastardised and forked into an unsupportable image to satisfy the commodity hardware or storage footprint allowed for device operation.
Many of these devices are not connected to always on networks and have no methodology to autoupdate (where the supplier provides that functional capability). Many ship with default passwords that users then fail to change. Many that are connected to IPv4 networks have never had updates or the updates don’t address the serious underlying security weaknesses and the versions of SSH or promiscuous daemons or services running on them. These core issues as we have seen over the last month first with the attack on the Akamai hosted site where Brian Krebbs was taken offline, then round two hitting OVH, Freenode and others and then last Friday where DynDNS was all but taken offline in the latest iteration of this now almost predictable rush to launch DDoS, then creating a huge internet real estate impact.
And nowhere is there an applicable standards body or international body that polices devices prior to shipping or at the point of manufacture to ensure device hardening. Failure to prove off security concepts and issues with the developer / manufacturer are ever present. If this was concerning the manufacure of vehicle airbags or making a childseat the issue would be entirely addressed.
What we have are companies rushing to get devices to market for consumer consumption, be that Google with their acquired Nest and Home products, Amazon with Echo are all probably at the higher end of the marketplace appreciating their users are often not that conversant with securing anything they buy. Certainly devices from manufacters such as Eurotech, Evrythng and others embrace the use of PKI and TLS and have got the authentication right at point of design and provision. We aren’t addressing those but the plethora of companies from China to Malaysia, from Hungary to Thailand which are shipping devices with dated aged insecure OS platforms. These are almost always given less thought than the packaging that they ship in or the plastics used in manufacture. Aged versions of Busybox, twelve year old SSH vulnerabilities and services turned on that should never be listening.
The IPSO Alliance, The Industrial Internet Consortium, FiWare, Open Daylight IoDM, Hypercat, The All Seen Alliance, I could go on but I won’t, the list of “standards bodies” and consortia grows almost by the month. The one thing that is for sure is that they have one thing in common, none of them are relevant and making any impact on the root problem.
For this to be impacting it has to be done at the import/export level and we have to have government and industry backed assistance to make it happen. Turning the clock back to 1934 and working with the relevant governments and agencies will be the only way of enforcing change on commodity hardware vendors who are about the units shipped not the units hacked.
In the 1980s I grew up quite a dorky quiet kid interested in emerging computer technology and music, drama and generally surrounded myself with a small group of like minds. Then add in going to an all boys selective grammar school in a coastal seaside town you have a recipe that will go one of two ways. Either prison for embezzlement or trying to cut a career ahead of your peers to achieve something different. I went the latter route although there is still plenty of time ahead to do the former.
Today I was reading Twitter when I saw re-tweeted a link to a book on cybersecurity. So I follow the link through to Amazon to check it out when I noticed the authors name. The distinctive name belonging to a guy who I went to drama club as a kid and to the same all boys grammar school with as well as having spent a fair bit of time hanging out together when I was in my early teens. Both around the start of personal computing and both with the same sense of humour with a very tolerant mother. Turns out he's not just written one but a whole ruddy series of books on the mysteries and vagaries of cybersecurity.
It's hugely satisfying to me to see how my friends have turned out in life. It's also great when I see them publishing works that can be of influence in the security world, a world I've given myself to for nearly twenty years.
So stand by your beds, at some point you can hear all about the books and about the man himself. For now you can go visit his Amazon page and see the books and order some !!
There has been a lot of condemnation in the press and social media of Hewlett Packard releasing a timed firmware update that was "set to execute in September" in their March firmware updates for popular OfficeJet, Envy and OfficeJet Pro printers. The update removes the ability to run a percentage of chipped cartridges manufactured by OEM vendors.
Ink has always been expensive whether you are using HP, Kodak, Epson and back in the day Lexmark who were drop for drop the most lucrative ink maker by a mile. I use a variety of printers on my LAN - all HP, a variety of laser MFPs an aged JetDirect enabled HP LaserJet 1100 and an HP Officejet colour inkjet. I also have three HP Envy colour inkjets at global locations and other properties connected via HP ePrint / Google Cloud Print. These mean my Chromebooks, Samsung Tablets, Apple iPads and all our family phones can print to the inkjets remotely or from anywhere in the house. We actually rely on the ePrint and Google Cloud print capabilities hugely.
All four of the HP colour inkjets run HP original ink.
But that might be expensive you all scream - OEM ink is far more expensive you all presume. And thats where you'd be hugely wrong.
OEM ink is expensive. If you go to a Walmart or in the UK any retailer and buy supermarket own brand or mail order ink it's still costly. The supermarkets and mail order places also stock HP / Epson / Brother / Kodak inks and yes these are probably 25% more expensive than the OEMs.
Now both OEM and own brand are sold at margins of 45-60% profit by retailers and in mail order probably 25-40% markup. It still might be "cheaper than the original manufacturer" but it's still sold at a mark up.
The bigger news is NOT that HP made this firmware change but actually that in Summer 2015 HP launched Instant Ink. Instant Ink is a three tiered subscription model for inkjet users for HP to supply ink direct to users - cutting out the retail market and the channel. Also by charging for what you use and delivering it direct to you it works out cheaper than OEM after market inks for HP original product.
I've got four printers in four locations subscribed to it. It makes my 70 year old mothers life easier and if you go get an HP Envy now you get low quantity inks in the box and you get 5 months free subscription plus a set of inks when you subscribe. Oh and I can see what I'm using, manage my device and do a lot more cool things into the bargain.
So... the story should read - "HP actually make inkjet usage cheaper for end users" rather than HP cut out aftermarket OEM cartridge makers and their profit margins.
I'm NOT an HP fan at all but I don't agree with many of the bylines or the way HP are being stamped on. HP could actually do PR properly but as with many things HP do badly as an organisation thats unlikely to happen.