Trust and the Internet of Things.

I’ve been asked to describe how I would describe a “ideal” secure work environment, and unfortunately, the answer comes out sounding like a variation on an old joke; you can have security, productivity, or Convenience; pick 2.

We can’t have ideal security. We can have a system that is mostly effective at preventing known threats and vulnerabilities from causing problems, while allowing enough work to get done to make it all worthwhile. We have to be vigilant; new methods of doing things means new vulnerabilities; even the way users generally think and their social interactions can change. Things that aren’t part of the work environment but are socially common can bring entire new fields of insecurity into the network security zone, such as cellular phones, fitness trackers, and next year possibly Neural implants. Security methodologies such as facial recognition could become ineffective or even illegal. Even the admittedly marginally useful polygraph can be further compromised by effective widespread social engineering.

And, of course, there are also hardware and software changes.

Some of these changes are real game changers, and change the entire networking and security landscape; Desktop Computers. TCP/IP. The Internet. WiFi. VoIP.

Networks and Network Security existed before each of those improvements; and each of those improvements made Network Security more difficult, but the productivity increase was well worth it.

And now we come to 5G and I0T.

Neither is a game changer in and of itself; There is very literally nothing you can do with either that could not be done with technology available prior to their availability. The huge impact that they will create is from the economics, because if implementation is carried out at the speed that the general enthusiasm seems to insist on, both 5G and IoT will be very cheap from most perspectives that aren’t focused on infrastructure costs or security.

If that is how things actually work out, the Network Security landscape will become MUCH more interesting. And there might be some productivity boost.

Which is one of the reasons I’m so glad to see “Zero Trust” becoming mainstream, even though there are many inevitable misunderstandings and predictable bobbles when implementing it comes into play, as there is at least one very good security model for a massive geographically distributed IoT device cloud, and that is “totally untrusted”. Most seasoned Security professionals could take one look at a proposed IoT implementation, for instance to monitor and provide control for a system that will seldom, if ever, be physically examined by the deploy-er and easily accessible by pretty much anyone? And that professional will say “Don’t trust it, don’t allow it to have access to any significant systems, firewall it from those”.

According to various sources, Nearly every new car being produced in the US and Japan has LTE/IoT.

And, as our example Network Security Professional could have predicted if he or she thought about it, multiple hacks have occurred, including a well publicized hack of a Jeep that allowed, among other things, shutting down the engine while it was on the highway. And it will get worse, because of Trust.

Car manufacturers use a trust networking model with automotive IoT.

Quote: “A Trusted Computing Base (TCB) is a collection of policies, procedures, and technologies that enforce the use and security of critical cryptographic and application-based tokens. It is the foundation upon which a platform’s trustworthiness can be defined. If a well-engineered TCB is used at the core of a product, the product will be trustworthy in the field.” EndQuote.

And to be fair, Many Network Security Professionals would agree with that statement.

Blockchain technology, invented in 2008 to secure Bitcoin, was widely considered trustworthy and unhackable, and up until 2017 that was still believed. And then multiple vulnerabilities were revealed to have been exploited, with one exploit involving the theft of nearly 2 Billion dollars in Cryptocurrency. Why? One very simple reason that I would hope that every security specialist always keeps in mind: Nothing is perfect.

If I were to design a IoT system for a vehicle, it would have physical separation from any system that could actually interact with the vehicle, aside from possibly the driver; passive sensors only, with GPS, camera and microphone available only at the throw of a physical analog switch, so it would be secure (for the driver). And as could be expected it wouldn’t be very popular, because of the lack of convenience.

While I’m not a fan of either 5G or IoT, I do see many good things that could be done with both. Will those good things balance the massive security issues? I really hope so.

Here we go.

Hello, World.

This will be my first foray into web publishing for quite a while; I Ran a BBS in the early 90's, had domains and sites up when it became possible to, had a dedicated line and servers in my basement when that became possible, ran my own websites and hosted a select few others, up until 2008 or so when I had to move to Tennessee.

So. it's 2020, I'm somewhere that I could get back in the game.

And I have interesting things to say, allegedly. I have opinions on issues throughout the possible interest spectrum, and academic + Professional experience in a variety of disparate areas.

Unfortunately, it appears I am now technically insane. My views, opinions, and conclusions on a variety of topics differs substantially from the accepted norm. From wikipedia we know that Abnormal behaviors are "actions that are unexpected and often evaluated negatively because they differ from typical or usual behavior". As I make decisions and take actions on my concept of reality, I can't be anything but abnormal.

A few of my other labels: Conspiracy Theorist. Gun Nut. Anti-Gun nut. Fascist. Elitest. Socialist. liberal. Nazi. Bernie Bot. Trumpist. There are a few others but those are the high spots. You may have noticed that some of those labels don't exactly paint a clear picture?

Part of that is because outside of one or maybe 2 topics which I would call "beliefs", I have Opinions. I suppose I'd better explain what those are.

I could simply make a link to the wikipedia page on opinions, but as the admins of wikipedia no longer remember what it says, I'd better explain.

There are Facts, which are things that are consistent with reality, and can be proven to be true through evidence and experimentation. (Note: In my Universe, which includes Quantum Mechanics and the belief that mankind doesn't know everything there is to know, Facts have an asterick next to them. example: You tell me you are standing in your living room and are going to drop a tennis ball from your hand and ask me to tell you what will happen. My answer would have to be "It will almost certainly fall and hit the ground". because I can conceive of circumstances where that might not happen, it simply isn't, in my world, a fact.)

And then there are Opinions. Wiki says "An opinion is a judgment, viewpoint, or statement that is not conclusive".

Which brings me to my problem. Lets throw another word out there, "Credibility".Wikipedia has a pretty good article on the subject. In essence, something is considered a fact if a majority of credible experts believe it to be one. I can rephrase that fairly accurately, and say that "if more than half of individuals who have expertise in a specific field are of the opinion that an aspect of that specific field is a fact, it is a fact".

I'll use Climate Change as an example. I would use something more current, but emotions are running a bit calmer than usual on this topic.

If I were to ask you to tell me the facts about climate change, there are 5, possibly 6 likely answers depending on who you are. If you are a Non-Conservative without a STEM degree, you will likely say whatever CNN represents as "Fact": "Several surveys have shown that 97% of scientists believe climate change is caused by man". If someone disagrees with this fact? "failure to fight climate change is a crime against humanity"