Aug 22, 2016

Technology is no longer driven (=funded) by innovation but by the ability to produce "recurring revenue". Selling software and some support around it is no longer a viable business model. It's unicorns or nothing.

Even Microsoft has seen that coming (and responded by open sourcing gradually ... from C#, ... MS Azure, ... the current Windows-10 beta that runs a Linux kernel, to PowerShell that runs on Linux). Has hell frozen over? No. But we think the only way to make money is with reselling user-data. And the VC industry reflects that. How many tech businesses that made it big today aren't built on central data harvesting of their users in exchange for "free" stuff?

We've pushed all our computing to the cloud and think it's the panacea to everything. Do we really expect to apply the same business model and technology principles from virtual world to our physical devices and get away with it? Reminds me of the old phrase, "When your only tool is a hammer, everything looks like a nail".

Problem isn't that Security is so much worse in IoT than in your typical web application stack. The problem is that it isn't any better than web-security! We have XSS and SQL injection in IoT, crypto built on shitty javascript, we have MiTM attacks, lack of authentication, ... worse, we can re-use the same exploits (shellshock, heartbleed, ...), and nearly identical attack-vectors! In the age of Shodan and MASSCAN we won't get away with that [1]. (ProTip: (from Gartner, I think): you can send payloads with MASSCAN to a gazillion connected devices by 2020 ;-))

Take a look at the issues of trust on the web! How many signing countries can we trust in our certificate chain? How confident are we that our HTTPS connection is safe (cloudflare is known to MiTM[0] half the internet, so the silly green browser padlock doesn't mean anything) Yet we expect to use the same flawed trust-model with IoT (where bugs hit us in our physical face) as we use on the web. We want to protect all this with Tor browsers, even more centralization and vendor-lock-in or even creating dystopian proposals like the ones from many EU based countries (hello Germany) that propose that the data will never leave the EU.

The vendors response?

I, and many others who stepped forward to report critical bugs to IoT companies are ignored, accused, blocked. I started IoT Security[5], on LinkedIn some years ago. LinkedIn is a joke of a platform I agree, but it also allows us to put all this shit right into the face of these crappy vendors. It's the perfect melting pot for marketeers and engineers ;-))

Privacy and Security have gotten worse over the years. not just for IoT but on the web in general. We point the finger to the "Internet of Shit", but do we expect if we constantly use the wrong tools for the job?

We're looking to the industry to solve this for us. An industry which hasn't figured out yet how to monetize their technology without selling our private data. VC's are as much part of the problem as tech companies. What could go wrong? It's like asking an addict to seek cure by discussing it with their dealer.

There is too much technical debt in terms of privacy & security that all these gadgets are either going to kill us, and as consequence will be regulated like anything else that has killed regularly in the past. If not now then as soon as the first connected car is weaponized, or the first smart-home kills someone.

Nation states and their armies have become dependent on the Internet to keep us safe. They're doing a good job reminding us that the cyber-threat is real. They're right about the threat. What we're wrong about though is believing that global data harvesting by shady intelligence services will keep us safe. But they have their own agenda[4].

The way forward? Certainly not more centralization or cloud.

PS: If you're also sick of all this shit, please do find me ;) there is lot's to talk and little time.