Web Developer
445 stories
·
2 followers

Saint Luke, the Artist

1 Share
Today is the feast of St. Luke, one of the four gospel writers who, according to tradition, was also an artist and a painter of icons. Fr. Michael Cummins shares this artistic gift with St. Luke. Today, he explains how icons are more than mere paintings and can only be truly appreciated when we completely change our "perspective."
Read the whole story
Looms
4 days ago
reply
Share this story
Delete

IoT Cybersecurity: What's Plan B?

3 Shares

In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn't regulate the IoT market. It doesn't single out any industries for particular attention, or force any companies to do anything. It doesn't even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

What the bill does do is leverage the government's buying power to nudge the market: any IoT product that the government buys must meet minimum security standards. It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner; don't have unchangeable default passwords; and are free from known vulnerabilities. It's about as low a security bar as you can set, and that it will considerably improve security speaks volumes about the current state of IoT security. (Full disclosure: I helped draft some of the bill's security requirements.)

The bill would also modify the Computer Fraud and Abuse and the Digital Millennium Copyright Acts to allow security researchers to study the security of IoT devices purchased by the government. It's a far narrower exemption than our industry needs. But it's a good first step, which is probably the best thing you can say about this legislation.

However, it's unlikely this first step will even be taken. I am writing this column in August, and have no doubt that the bill will have gone nowhere by the time you read it in October or later. If hearings are held, they won't matter. The bill won't have been voted on by any committee, and it won't be on any legislative calendar. The odds of this bill becoming law are zero. And that's not just because of current politics -- I'd be equally pessimistic under the Obama administration.

But the situation is critical. The Internet is dangerous -- and the IoT gives it not just eyes and ears, but also hands and feet. Security vulnerabilities, exploits, and attacks that once affected only bits and bytes now affect flesh and blood.

Markets, as we've repeatedly learned over the past century, are terrible mechanisms for improving the safety of products and services. It was true for automobile, food, restaurant, airplane, fire, and financial-instrument safety. The reasons are complicated, but basically, sellers don't compete on safety features because buyers can't efficiently differentiate products based on safety considerations. The race-to-the-bottom mechanism that markets use to minimize prices also minimizes quality. Without government intervention, the IoT remains dangerously insecure.

The US government has no appetite for intervention, so we won't see serious safety and security regulations, a new federal agency, or better liability laws. We might have a better chance in the EU. Depending on how the General Data Protection Regulation on data privacy pans out, the EU might pass a similar security law in 5 years. No other country has a large enough market share to make a difference.

Sometimes we can opt out of the IoT, but that option is becoming increasingly rare. Last year, I tried and failed to purchase a new car without an Internet connection. In a few years, it's going to be nearly impossible to not be multiply connected to the IoT. And our biggest IoT security risks will stem not from devices we have a market relationship with, but from everyone else's cars, cameras, routers, drones, and so on.

We can try to shop our ideals and demand more security, but companies don't compete on IoT safety -- and we security experts aren't a large enough market force to make a difference.

We need a Plan B, although I'm not sure what that is. Comment if you have any ideas.

This essay previously appeared in the September/October issue of IEEE Security & Privacy.

Read the whole story
Looms
4 days ago
reply
Share this story
Delete

My Conversion Story

1 Share
Today over at my main blog (which is now located at my newly designed blog-website) I have posted the first published version of my conversion story. My Conversion from the Anglican Church also introduces readers to the section of my new blog called “Archived Articles”. In this section I will be posting some of the various […]
Read the whole story
Looms
23 days ago
reply
Share this story
Delete

Please Note that We No Longer Accept Payments in Chocolate

1 Share
A couple of weeks ago, I posted on twitter the following critical message:

"I may start accepting payments in chocolate."

One of my twitter friends heard my cry for help, and generously obliged.

Last week I received a delightful box of chocolates that sent my joy meter flying high. Adityajay, the giver of these chocolates, had the following message to share with the world, "We entrepreneurs are crazy with endless possibilities, and this is what makes us unique and keeps us driving [forward]..." 

Thank you, Adityajay (@I_Am_Adityajay), for your friendship on twitter, for the chocolates, and for your message.

In the Multinational Entrepreneur Training, there is a whole section on appropriate business gift giving, versus corruption and bribery, in the section on Legal (and Illegal!) Issues. Check it out.
Read the whole story
Looms
47 days ago
reply
Share this story
Delete

World's longest pedestrian suspension bridge opens in Switzerland

1 Share

Longest pedestrian suspension bridge in the world officially opens in Switzerland, connects two sections of a walking trail

      
 
 
Read the whole story
Looms
84 days ago
reply
Share this story
Delete

Me on Restaurant Surveillance Technology

1 Comment and 2 Shares

I attended the National Restaurant Association exposition in Chicago earlier this year, and looked at all the ways modern restaurant IT is spying on people.

But there's also a fundamentally creepy aspect to much of this. One of the prime ways to increase value for your brand is to use the Internet to practice surveillance of both your customers and employees. The customer side feels less invasive: Loyalty apps are pretty nice, if in fact you generally go to the same place, as is the ability to place orders electronically or make reservations with a click. The question, Schneier asks, is "who owns the data?" There's value to collecting data on spending habits, as we've seen across e-commerce. Are restaurants fully aware of what they are giving away? Schneier, a critic of data mining, points out that it becomes especially invasive through "secondary uses," when the "data is correlated with other data and sold to third parties." For example, perhaps you've entered your name, gender, and age into a taco loyalty app (12th taco free!). Later, the vendors of that app sell your data to other merchants who know where and when you eat, whether you are a vegetarian, and lots of other data that you have accidentally shed. Is that what customers really want?

Read the whole story
Looms
86 days ago
reply
Does this mean I have to remove my McDs app? Hmm....mmm :)
Share this story
Delete
Next Page of Stories