Archive for the ‘Concepts’ Category

Tuesday, March 22nd, 2011

Top Five Things Every Device Developer Needs to Know About Security

With the growing interest in machine-to-machine (M2M) devices and connectivity, enterprises today are looking to capitalize on opportunities presented by this trend. At the same time, developers face challenges related to new device development, as many industries require components that ensure that devices are fully protected against external security threats. From preventing data from being manipulated and/or modified, to ensuring no security holes are present, it is critical that new devices provide this added level of security and assurance. This is especially critical for companies in the financial, pharmaceutical and metering industries, where data breaches or modifications can result in costly penalties and fines.

Bug Labs and Pitney Bowes developed BUGsecure to empower enterprises to help eliminate these common security risks and develop new devices they can trust will protect sensitive data. Comprised of the Bug Labs BUGbase 2.0 with an embedded tamper-responding security chip from Pitney Bowes, the functionality enables cryptographic processing, a secure time source, transaction management, remote security lifecycle management, and third party server validation. BUGsecure is compatible with 3G and 4G mobile development platforms, as well as standard Bug System modules. As a result, companies are able to develop new and secure M2M device innovation quickly and affordably.

To help device developers kick-start their innovations with confidence, the following is meant to serve as a guide:

  1. What are the top things that I, as a developer, should be concerned with regarding device security?
    • Malware – Viruses, trojans and other malicious threats are widely-known to infect computer systems. However, with the proliferation of mobile devices, hackers and other criminals have developed new tactics to execute malicious software on mobile devices. Given that many mobile phones function akin to computers, information contained within becomes much more valuable, and criminals are looking for better, and more efficient ways to get your information.
    • Users Tinkering with Applications – On mobile devices in particular, it is easy for users to go in and change or reduce the security settings inherent on the device. This occurs in two ways:
      1. Non-malicious – This occurs when a user either knowingly, or unknowingly, goes into the application setting on their mobile devices and changes something that results in a reduction of security on their system.
      2. Malicious – This often occurs when a user is able to obtain codes that are able to unlock phones, modify software and cause potential damage to the device and the information contained within it.
    • Remote Devices – Remote devices present risks to the enterprise. Not only is it a challenge to manage multiple devices in a fleet, but ensuring the security of these devices is critical. Devices go as far as their users carry them, and in some cases, this means to non-password protected Internet connections, where devices can be vulnerable to attacks.
    • Ability to Modify Application Data – Another major security risk occurs when mobile device application data is modified by the user for malicious purposes. This happens when someone is trying to save money, reduce a charge, or create fraudulent information within an application.
    • Wide-scale Distribution – The “share-ability” enabled by the Internet can be both a blessing and a curse. In the case of mobile security, it is often a curse. With just a few simple keystrokes, a hacker has the ability to mass-distribute code that has been used to “crack” into mobile devices and their operating systems.
  2. Wide-scale distribution of “cracked” codes has always been a reality for companies. How does BUGsecure play into this? How does it make a difference?
    • There are essentially 4 levels (that increase in complexity) at which a mobile device attack can occur:
      1. A hacker is able to manipulate software on the mobile device.
      2. That same code is mass-distributed (via the Internet). More eyes equals more opportunity to do more of the same damage to mobile device software.
      3. A hacker physically manipulates the mobile device to get the information needed (ex. cutting wires). The process is effective, yet slow, as it is a one-at-a-time effort for hackers.
      4. At this level, not only must the hacker need to both manipulate the software AND the hardware, but it must also face encryption and authentication challenges. These elements make it nearly impossible to obtain data and/or manipulate the device further. This is the level where BUGsecure is at.
  3. I’m already taking adequate security precautions. Why should I consider BUGsecure?
    • Managing secure devices is not an easy task. Even the best security mechanisms, such as algorithms and cryptography, can falter if not managed adequately.
    • The key to getting ahead of the curve is having the foresight to develop new wireless devices with security in mind from the start. Too often, security is implemented mid-way through the development process, or is implemented after a product has been developed.
    • With BUGsecure, common mass-distribution-based threats are eliminated. The tamper-responding security chip from Pitney Bowes that is embedded into the BUGbase 2.0, provides cryptographic processing, a secure time source, transaction management, remote security lifecycle management, and third party server validation.
    • When developing new wireless devices, the security features within BUGsecure also allow you to utilize real data in a prototyping situation, enabling you to implement a better security design within the new device as a result.
    • In addition, using BUGsecure in an enterprise environment can help free up time spent on managing security on a day-to-day basis. Instead of purchasing a library and dedicating valuable team resources to implement security features, BUGsecure delivers all the security needed upfront, with no further implementation needed.
  4. Why is BUGsecure new and exciting for the market? What challenges does it address for your target markets?
    • This is the first time that a physically secure, tamper responding hardware security solution has been tightly integrated into a mobile application development platform. The unique combination of security with mobility and a trusted, scalable infrastructure will enable many new accounting, payment, tracking, communications, and authentication solutions.
    • The availability of trusted messaging form a mobile device with a lower barrier to entry than ever before will enable new business models for existing applications.
    • The availability of a proven security solution in a platform that supports rapid prototyping will enable designers to build solutions with security integrated from the very beginning. Instead of adding security capabilities as an afterthought, you will now be able to include scaleable and configurable security from the very beginning of your prototyping process and trial deployment process.
  5. What is the basic functionality of BUGsecure?
    • This is the first time that a physically secure, tamper responding hardware security solution has been tightly integrated into a mobile application development platform. The unique combination of security with mobility and a trusted, scalable infrastructure will enable many new accounting, payment, tracking, communications, and authentication solutions.
    • The new version enables critical security capabilities including secure authentication, secure communication, secure audit trail, and secure accounting. These features are enabled using industry standard encryption and digital signatures built on a robust and scaleable key management and device management infrastructure. This powerful combination of features forms a complete solution for security life-cycle management.
Wednesday, November 5th, 2008

RIP CE

I read with chagrin the latest news from Dash Express. These are clearly tough times and we wish them luck with their new model.  But I think this actually points to something far deeper and more seismic: there is literally no future in the traditional model of consumer electronics (CE). There’s no there there. Anyone thinking of investing in it the way it’s currently constructed is crazy.

It is beyond difficult to innovate in hardware today. There are literally only a handful of players doing it well. And even they are just moments away from catastrophe if they can’t keep the hits coming (hi Motorola). Compare this to the world of software where thousands of developers are innovating on a global scale.

Does it HAVE to be this way? Is it written on stone tablets somewhere that the current method of creating hardware is the one and only way? Of course not. Just like it wasn’t ordained that all computing was to happen on mainframe computers, or that all knowledge of the printed word belonged to the elite. Change in both these examples came as a result of innovation-enabling technologies; new tools that allowed whole, previously excluded, groups of people to learn and benefit.

Right now, the whole world of electronics is hamstrung by what feels like a lack of equivalent enabling technologies. The result is that everyone loses. Investors lose because because their returns are subject to a completely unpredictable hit-based financial model. Producers lose for basically the same reason. Consumers lose because the attendant lack of innovation and lowest-common-denominator products restricts the value we could actually be deriving from new technologies.

Imagine if Dash could have built its product using both open source software AND hardware IP. I guarantee they could have brought it to market faster and at a fraction of the cost. That, in turn, would have freed up some of that $71M for other investment areas like retail distribution, international markets, etc. The point is, you shouldn’t need massive resources from huge firms like Sequoia and Kleiner Perkins to innovate in hardware. You sure don’t need it for software anymore.  The hardware world needs a 21st-century, bottoms-up,  open source model of innovation.

I know it seems incredibly self-serving to try and proclaim the emergence of a new revolution. And, of course, I can’t say that I’m not personally invested in its success, but irrespective of whether or not Bug Labs will play a meaningful part in it, the forces of disruption are coming.

Wednesday, May 21st, 2008

Building a CrowdSourced Security System

One of the most frequent questions I get is “what are you supposed to build with a BUG?” to which I typically respond “whatever you want!” When pressed, we have a few different examples we use to illustrate the importance of programmable, open gadgets. During CES this year, we often used an example of a fully controllable home security system, built using the BUGbase, a motion detector module and a camera module. The idea, in a nutshell, is a security system that could take pictures when motion was detected, and direct those pictures to a selectable location. But that’s not where the idea stops for us, it actually extends much further.

The key here is to think well beyond the static/automatic nature of an off-the-shelf consumer electronics device. A static device is designed to do its task very specifically. When it comes to communication and photos, however, there are too many options to build into any one product. For example, what if I want my security system to send pictures to my cell phone during the day, and archive them on a local PC at night? Or what if I want the pictures sent to my Flickr account? Easy so far, except the next 20 “customers” might want different combinations of photo sharing services, different motion detector sensitivity settings, and numerous options beyond. Gets a bit trickier. Now let’s explode the concept out to think about the “crowd”.

What if I am on vacation, and while I’m gone, I want the system to really work for me. I’d want my friends or family to know someone’s in my house, right? So one option is to have the photos emailed to them, but another, much more powerful one would be to integrate with Twitter or Facebook. Now the “crowd” who knows me is able to work as a group to notice the motion event. Think of the impact of a community of users watching out for one another and each other’’s valuables (house, car, etc) using social networks and automated alerts/notifications. Simple stuff.

This week we decided to try it out. We set up a BUGbase with camera and motion detector modules and placed it in our office in a place where it detects someone coming in the door. We then configured it to send out a Twitter and start logging pictures to Twitxr whenever motion was detected. The application is now available on BUGnet here (please note we are making improvements to it – it’s fun to tinker!).

It’s dawned on us that this example is more interesting than just “another gadget”. In essence, by setting up a Twitter feed triggered by a motion sensor we’re extending the online conversation to include machines – let’s call it a Social Gadget Network. This has potentially useful implications. Now, anyone can subscribe to our security camera Twitxr feed (hence the name “crowd-sourced security”). The BUG community can now help us keep an eye on our office.

We’re still getting our heads around the concepts of ever-connected gadgets that do more than the functions at hand. Shared data. Shared feeds. Shared inputs and outputs. The impact is going to be big, and it’s exciting to think about!

Wednesday, March 28th, 2007

We Are All Applications

What is a database but a resting place, however temporary, for bytes
(being an arbitrary unit of measure) of data waiting to be consumed by
some application.  It is useless otherwise.  But in essence, isn’t the
real world just a database?  Everywhere is information waiting for
consumption.  Our senses are applications that consume data.  Our
bodies themselves consume data (all living things do).  Evolution
itself could be seen as versions of applications responding to changes
in the Earth’s database.  What I’m trying to say is, there must be some
interesting way to make use of this fact. 

There is data everywhere. We
are all applications.  Why don’t we build better bridges between
ourselves so that we can better share our data?  Right now, as I sit
here, the application known as Peter is consuming data. Is this info of
interest to anybody else?  Depending on one’s knowledge, care and/or
use for me personally you could probably draw concentric rings
eminating from me that demonstrate levels of interest.  But that
interest quickly tails off.  My data becomes interesting only insofar
as it describes environmental or other sensory inputs (this may not be
strictly true – my editorial input may have value – e.g. The temp is 70
but that’s unusual for this time of year). What’s the barometric
pressure at my lat/lon, etc.  Do I see the Golden Gate bridge from
where I stand? Is there a line at the Starbucks where I am sitting?  If
I go out of my way to post this data, would someone be interested in it
(Flickr is a great data point)?  If everyone posted random bits of data
what would that truly provide?  Useful information or meaningless
noise? 

Perhaps the Long Tail concept applies.  It rapidly becomes a
problem of search and categorization to make sense of it all, but maybe
Google could help.  Maybe it’s self organizing. People are drawn to the
info they’re interested in and post the same.  Who would take the time
to make inputs?  It’s a social networking question but my bet is there
could be a healthy quid pro quo.  At least from a core initial group.

There are probably good existing analogs. Spies, for instance, make it
their job to constantly input data.  The unbelievably prescient book Snow Crash by Neal Stephenson imagined individuals called Gargoyles whose business it was to ceasely collect any/all information in their immediate vicinity.  The latest incarnation is justin.tv.  If the value to the greater good
could be easily demonstrated, who knows?  There may even be an economic
model that could support it.  I become a data source, a streamer, that
people can rely on, subscribe to (RSS).  I could be a specialist on
parking spots at 76 and Amsterdam.

Perhaps even more interesting is what if I have hyper sensory inputs
from other devices that I can assimilate into the Peter app?  For
example, maybe I have a geiger counter with me that I can use to stream
radioactive data.

In this model, every person becomes a node in a
vast, distributed application running off the database known as real
life. And like other distributed apps, all nodes become more powerful
and resilient as their connectivity increases.  Through sharing, the
community grows, its resources increase, its efficiency improves.
Pretty cool.

 
Tuesday, February 20th, 2007

Hyper-Awareness

How
do you experience the world? Through your senses. Your senses are your
interface, your inputs. From there your brain produces understanding
and response. But in a world that is increasingly connected,
quantitatively and qualitatively, via computer and Internet, are our
five senses enough? Our sphere of potential control has exploded. But
control requires i/o. In a world where inputs are local this is not an
issue, your senses work fine. However, when the inputs are remote what
do you do? Instant messaging is a remote sensor. It senses input
(presence) and delivers it to you over a network. Once received, your
brain then knows what to do with it and can consider an output. But
this is a rudimentary example. Think of your world, not locally, but
globally. What does it include? How much is out of your reach right
now. All of it, except what is directly around you…OR to which you
are remotely connected somehow. That is what’s new. Think about the
information that you could connect to if you could but extend your
senses. Maybe you could invent new ones to boot. Here’s an example.
You’re in a traffic jam on the highway. The other side is flying along.
You want to know if you should exit right away and try an alternate
route but not if the jam you’re in is short. But how can you tell? The
radio says nothing. You know of no online service that could tell you.
The answer is the drivers in the other lanes. They just drove past the
line of traffic you’re in and could easily tell you if it was a long
one. But how do you reach them? How do you leverage other people’s
senses?! Think of the collective power of that. Certainly work is being
done with cell phones and SMS. But it is still peer-to-peer. There are
other opportunities to leverage sensors that are not human but
"machine", placed by either you and/or others. The point is you start
to utilize and consume virtual "senses". Does that mean you can expand
YOU? If you embed these remote sensory organs into your perception,
your hyper-perception, does that create a virtual octopus out of you?
If you start to think/imagine that you can get answers to remote
sensory questions, the way you perceive, control and respond to your
world changes radically.

 
Monday, February 12th, 2007

Object Sentences

I love language and have always been fascinated by its mechanics – how
the assembly of words in a sequence can either convey meaning or sow
confusion. Given my interest in the value of splitting structure
(grammar/syntax) and content (words), language has been a potent
catalyst. When I was younger, one of the questions I turned over in my
head all the time was – why can’t there be a language in which it was
impossible to speak nonsense – meaning a language where ANY combination
of words made sense somehow. It’s a wacky question but points, I think,
to an important strength of every successful language – it’s incredible
flexibility. Without the ability to write nonsense, nothing new could
be done. Our idea of nonsense is subjective. The poetry of e.e.
cummings would have likely been viewed as complete garbage 200 years
ago. Or how about a computer program?? But the other thing that
fascinates (inspires) me is that even though the interface between
words is formally defined as grammar, it is also totally open, meaning
those rules are really only a guide. Poetry routinely flouts the rules
to great effect. If I know the words of more than one language the
options for sentence construction increase, as long as the reader
understands the languages used and doesn’t mind dealing with no formal
grammatical structure. Words, like atoms, seem capable of infinite
types of combinations, but gain particular value when used with a
logical grammar (e.g. Shakespeare or Hemingway). All of the above, by
the way, is equally true of music.

Lately I have
been puzzling over creating what in essence is a grammar for the
construction of not word sentences but "object sentences". Is there a
formal way to define how objects should/could go together to create a
useful thing or "sentence"? Sounds crazy because maybe it is. But
consider electronics, which for the purposes of this argument I will
equate to a language – meaning it is contained and its moving pieces
defined. At a very high level every device, gadget and gizmo is
identical – power supply, processor(s), i/o devices. Mix them up in
lots of different ways and you get everything from a digital watch, to
an iPod, to an IBM mainframe; like the words of a sentence. Take vehicles of any kind – the same high level analysis produces the
same result – all vehicles are identical. So what? My point is that, at
least in some cases, there is a starting baseline of components (words)
for the construction of certain categories of product. If you could
elegantly define the interfaces between these basic categories perhaps
you could start to generalize and identify an interface "grammar", at
least for that "language". Would love to see that someday.