Mirai – is a bot network that is powered by a range of devices including infected home routers and remote camera systems. It took over these systems by using their default passwords. The network of compromised machines is then targeted to overload a target network or service. Last week the Dyn DNS service was targeted which restricted access to lots of other services for users on the east coast of the US.
DNS is like a telephone directory of internet destinations, if no one knows where to go it becomes a lot harder to get in touch.
Mirai didn’t spring miraculously out of thin air. It finds its history in passionate gamers who used distributed denial of service (DDoS) attacks to slow down or even kick opponents off online gaming platforms. Eventually the gaming companies got hip to it and went after the cheaters, not to be outdone the cheaters went after the gaming companies.
Taking a service offline using DDoS became a source of extortion against online banking and e-commerce services. Attacks can be used as a form of ‘digital hit’ to take out opponents or critics like online security commentator Brian Krebs.
Moore’s Law meant that computing power has become so small and plentiful that it is surprising what we often have in the palms of our hands. The first Cisco router was built on the circuit board of a Sun Microsystems workstation. Home routers now are basically small computers running Linux. A CCTV camera box or a DVR are both basic PCs complete with hard drives.
Back in 2007, BlackBerry co-founder Mike Lazaridis described the iPhone as
“They’ve put a Mac in this thing…”
The implication being that the power of a sophisticated PC was essentially in the palm of one’s hand. The downside of this is that your thermostat is dependent on a good broadband connection and Google based cloud services and your television can get malware in a similar manner to your PC.
For a range of Chinese products that have been acknowledged as part of the botnet; the manufacturer acknowledged that they were secured with a default admin password. They fixed the problem in a later version of the firmware on the device. Resetting the default password is now part of the original device set-up the first time you use it.
The current best advice for internet of things security is protecting the network with a firewall at the edge. The reality is that most home networks have a firewall on the connected PCs if you were lucky. The average consumer doesn’t have a dedicated security appliance on the edge of the home network.
Modern enterprises no longer rely on only security at the edge, they have a ‘depth in defence’ approach that takes a layered approach to security.
That would be a range of technology including:
At least one firewall at the edge
Intrusion detection software as part of a network management suite
A firewall on each device
Profile based permissions across the system (if you work in HR, you have access to the HR systems, but not customer records
Decoy honey post systems
All file systems encrypted by default so if data is stolen it still can’t be read
Updating software as soon as it becomes available
Depth in defence is complex in nature, which makes it hard to pull off for the average family. IoT products are usually made to a price point. These are products as appliances, so it is hard for manufacturers to have a security eco-system. The likelihood of anti-virus and firewall software for light bulbs or thermostats is probably small to non-existent.
The Shenzhen eco-system
Shenzhen, just across the border from Hong Kong has been the centre of assembly for consumer electronics over the past 20 years. Although this is changing, for instance Apple devices are now assembled across China. Shenzhen has expanded into design, development and engineering. A key part of this process has been a unique open source development process. Specifications and designs are shared informally under legally ambiguous conditions – this shares development costs across manufacturers and allows for iterative improvements.
There is a thriving maker community that allows for blurring between hobbyists and engineers. A hobbyists passion can quickly become a prototype and then into production . Shenzhen manufacturers can go to market so fast that they harvest ideas from Kickstarter and can have them in market before the idea has been funded on the crowdsourcing platform.
All of these factors would seem to favour the ability to get good security technologies engineered directly into the products by sharing the load.
The European Union were reported to be looking at regulating security into the IoT eco-system, but in the past regulation hasn’t improved the security of related products such as DSL routers. Regulation is only likely to be effective if it is driven out of China. China does have a strong incentive to do this.
The government has a strong design to increase the value of Chinese manufacturing beyond low value assembly and have local products seen as being high quality. President Xi has expressed frustration that the way Chinese manufacturing appears to be sophisticated, yet cannot make a good ballpoint pen.
Insecurity in IoT products is rather like that pain point of poor quality pens. It is a win-win for both customers, the Chinese manufacturing sector and by extension the Party.
Yahoo! had a data breach in 2014, it declared the breach to consumers on September 22. This isn’t the first large data breach breach that Yahoo! has had over the past few years just the largest.
In 2012, there was a breach of 450,000+ identities back in 2012. Millions of identity records were apparently being sold by hackers in August 2016 that the media initially linked to the 2012 breach. It would be speculative to assume that the records for sale in August was part of the 2014 raid.
The facts so far:
500 million records were stolen by the hackers. Based on the latest active email account numbers disclosed for Yahoo! many of these accounts are inactive or forgotten
Some of the data was stored unencrypted
Yahoo! believes that it was a state sponsored actor, but it has offered no evidence to support this hypothesis. It would be a bigger reputational issue if it was ‘normal’ hackers or an organised crime group
There are wider security implications because the data included personal security questions
Vermont senator asked the following questions in a letter to Yahoo!:
When and how did Yahoo first learn that its users’ information may have been compromised?
Please provide a timeline detailing the nature of the breach, when and how it was discovered, when Yahoo notified law enforcement or other government authorities about the breach, and when Yahoo notified its customers. Press reports indicate the breach first occurred in 2014, but was not discovered until August of this year. If this is accurate, how could such a large intrusion of Yahoo’s systems have gone undetected?
What Yahoo accounts, services, or sister sites have been affected?
How many total users are affected? How were these users notified? What protection is Yahoo providing the 500 million Yahoo customers whose identities and personal information are now compromised?
What steps can consumers take to best protect the information that may have been compromised in the Yahoo breach?
What is Yahoo doing to prevent another breach in the future?
Has Yahoo changed its security protocols, and in what manner?
Did anyone in the U.S. government warn Yahoo of a possible hacking attempt by state-sponsored hackers or other bad actors? When was this warning issued?
Added to this, shareholders and Verizon are likely to want to know:
Chain of events / timing on the discovery on the hack?
Has Yahoo! declared what it knew at the appropriate time?
Could Yahoo! be found negligent in their security precautions?
How will this impact the ongoing attrition in Yahoo! user numbers?
How does Yahoo! know that it was a state sponsored actor?
Was there really Yahoo! web being sold on the dark web in August?
Google has had a transformative effect on the world. It reminds me of Dieter Rams on the concept of design had said something to the effect of good design being invisible – once you see the product you couldn’t imagine things exist any other way.
That’s a really good description of the web with Google. In the markets where it operates (with the exceptions of Czech Republic, South Korea, Japan and Russia) it’s a monopoly. Different regulatory authorities are investigating them for leveraging their monopoly into market domination in other categories.
With SERP (Search Engine Results Page) like this one above, I am not surprised that antitrust authorities are gaining an upper hand. This Urban Dictionary integration seems to cross the boundary from being useful to feature bundling. It deprives Urban Dictionary of an opportunity to put ad inventory in front of its audience.
It would be interesting to see if Google got into some sort of content agreement with Urban Dictionary or have just gone ahead and done this?
Back on February 9, 1996, John Perry Barlow wrote his declaration of of the independence of cyberspace. The declaration pointed out the folly of trying to govern something thought to be virtually ungovernable at the time.
Barlow first came to prominence writing lyrics for The Grateful Dead. His ethos came from the libertarian do your own thing ethic that underpinned much of the hippy movement. This probably come more naturally to Barlow than other people having grown up on a cattle ranch and being the son of the Republican politician.
By the time he wrote the declaration, he was already had published extensively about the internet. He was on the board of directors of The WELL – an online community that sprang out of Stewart Brand’s back to the land influence catalogue of useful things The Whole Earth Catalog (The WELL stands for The Whole Earth eLectronic Link). He contributed to Wired magazine (founded by aging hippies Kevin Kelly and Stewart Brand), Barlow’s essay Economy of Ideas published in the March 1994 issue provides a clear view of the thinking that prompted him to write the declaration. He had already founded The Electronic Frontier Foundation with by John Gilmore and Mitch Kapor in response to a series of actions by law enforcement agencies that led them to conclude that the authorities were gravely uninformed about emerging forms of online communication.
The declaration was a reactionary document, brought upon by the 1996 Telecommunications Act in the US. The act eventually resulted in consolidation of US media ownership.
I suspect the similarities in style between the declaration and the Doc Searl’s et al later Cluetrain Manifesto are an intentional nod to Barlow on cyberspace.
A Declaration of the Independence of Cyberspace
by John Perry Barlow <email@example.com>
Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.
We have no elected government, nor are we likely to have one, so I address you with no greater authority than that with which liberty itself always speaks. I declare the global social space we are building to be naturally independent of the tyrannies you seek to impose on us. You have no moral right to rule us nor do you possess any methods of enforcement we have true reason to fear.
Governments derive their just powers from the consent of the governed. You have neither solicited nor received ours. We did not invite you. You do not know us, nor do you know our world. Cyberspace does not lie within your borders. Do not think that you can build it, as though it were a public construction project. You cannot. It is an act of nature and it grows itself through our collective actions.
You have not engaged in our great and gathering conversation, nor did you create the wealth of our marketplaces. You do not know our culture, our ethics, or the unwritten codes that already provide our society more order than could be obtained by any of your impositions.
You claim there are problems among us that you need to solve. You use this claim as an excuse to invade our precincts. Many of these problems don’t exist. Where there are real conflicts, where there are wrongs, we will identify them and address them by our means. We are forming our own Social Contract . This governance will arise according to the conditions of our world, not yours. Our world is different.
Cyberspace consists of transactions, relationships, and thought itself, arrayed like a standing wave in the web of our communications. Ours is a world that is both everywhere and nowhere, but it is not where bodies live.
We are creating a world that all may enter without privilege or prejudice accorded by race, economic power, military force, or station of birth.
We are creating a world where anyone, anywhere may express his or her beliefs, no matter how singular, without fear of being coerced into silence or conformity.
Your legal concepts of property, expression, identity, movement, and context do not apply to us. They are all based on matter, and there is no matter here.
Our identities have no bodies, so, unlike you, we cannot obtain order by physical coercion. We believe that from ethics, enlightened self-interest, and the commonweal, our governance will emerge . Our identities may be distributed across many of your jurisdictions. The only law that all our constituent cultures would generally recognize is the Golden Rule. We hope we will be able to build our particular solutions on that basis. But we cannot accept the solutions you are attempting to impose.
In the United States, you have today created a law, the Telecommunications Reform Act, which repudiates your own Constitution and insults the dreams of Jefferson, Washington, Mill, Madison, DeToqueville, and Brandeis. These dreams must now be born anew in us.
You are terrified of your own children, since they are natives in a world where you will always be immigrants. Because you fear them, you entrust your bureaucracies with the parental responsibilities you are too cowardly to confront yourselves. In our world, all the sentiments and expressions of humanity, from the debasing to the angelic, are parts of a seamless whole, the global conversation of bits. We cannot separate the air that chokes from the air upon which wings beat.
In China, Germany, France, Russia, Singapore, Italy and the United States, you are trying to ward off the virus of liberty by erecting guard posts at the frontiers of Cyberspace. These may keep out the contagion for a small time, but they will not work in a world that will soon be blanketed in bit-bearing media.
Your increasingly obsolete information industries would perpetuate themselves by proposing laws, in America and elsewhere, that claim to own speech itself throughout the world. These laws would declare ideas to be another industrial product, no more noble than pig iron. In our world, whatever the human mind may create can be reproduced and distributed infinitely at no cost. The global conveyance of thought no longer requires your factories to accomplish.
These increasingly hostile and colonial measures place us in the same position as those previous lovers of freedom and self-determination who had to reject the authorities of distant, uninformed powers. We must declare our virtual selves immune to your sovereignty, even as we continue to consent to your rule over our bodies. We will spread ourselves across the Planet so that no one can arrest our thoughts.
We will create a civilization of the Mind in Cyberspace. May it be more humane and fair than the world your governments have made before.
February 8, 1996
So two decades later, how does Barlow’s declaration stand in comparison that what’s actually happened? At first blush not very well. The digital economy outside China is dominated by an oligarchy of four main players: Amazon, Apple, Facebook and Google.
Scott Galloway’s presentation at DLD conference this year, highlights the winner take all nature of the online world. This is partially down to the nature of the online platform. Amazon grew to critical mass in the US as for a critical amount of time buyers didn’t need to pay state sales tax until state legislation started to catch up.
Zuckerberg and his peers marked a changing of the guard in Silicon Valley as yuppies took over from the the hippies.
Inside China there is a similar state-directed oligarchy of Alibaba, Tencent, Netease and Sina.
The oligarchy impact has been most pronounced in Europe, where consumer demand and a lack of effective competition saw Google go to 90+ percent in market share across the EU, when the US market share was less than 70 percent at the time.
Futurist and science fiction author Bruce Sterling summed it up rather well:
“Globalization” is over for 2016. We have entered an era of Internet Counter-Revolution. The events of 1989 feel almost as distant as those of 1789. The globalizing, flat-world, small-pieces-loosely-joined Internet is behind us, it’s history. The elite geek Internet could not resist those repeated tsunamis of incoming users.
It turned out that normal people like the “social” in social media a lot better than they ever liked the raw potential of media technology. In Russia and China in 2016, digital media is an arm of the state. Internet has zero revolutionary potential within those societies, but all kinds of potential for exported cyberwar. The Chinese police spy and firewall model, much scoffed at in the 1990s, is now the dominant paradigm. The Chinese have prospered with their authoritarian approach, while those who bought into borderless friction-free data have been immiserated by the ultra-rich.
In the USA it’s an older American story: the apparent freedom of Henry Ford’s personal flivver has briskly yielded to the new Detroit Big Five of Google, Apple, Facebook, Amazon, and, in last place, Microsoft.
In 2016, everything that looks like digital innovation, “big data,” “the cloud,” the “Internet of Things,” are actually promotional slogans that play into the hands of the GAFAM “Big Five.” Anybody who lacks broadband and a mobile OS is in deadly peril, especially the digital old-school likes of IBM, Cisco, Hewlett-Packard, Oracle… and the hapless TV networks, whose median viewer age is now in the 60s.
The GAFAM Big Five, the “Stacks,” will turn their wrath on the victims closest to them, well before they complete their lunge for control of cars and thermostats. However, their destiny is obvious. The rebels of the 1990s are America’s new mega-conglomerates. Google is “Alphabet,” Apple pruned the “computer” from its name, Amazon is the Washington Post. In 2016, that’s how it is, and in 2017, 189, 19, much more so.
So the not-evil guys are the new evil guys, but don’t be scared by this. It’s quite like watching the 1960s Space Age crumble from giant-leaps-for-mankind to launching low-orbit gizmos for profit. It’s comprehensible, it can be dealt with. Sure, it’s tragic if your head was in the noosphere, but if you have any historical awareness of previous industrial revolutions, this is really easy to understand. It’s already in your pocket and purse, it’s written on every screen you look at It could scarcely be more obvious.
Yes, Internet Counterrevolution is coming, much of it is here already, and it’s properly considered a big deal, but it’s not permanent. This too shall pass.
And this post hasn’t even touched on how government has looked to plug itself into all facets of online life in the interest of discovering terrorist plots, organised crime or paedophile rings. Assaults on cyberspace sovereignty are numerous, from Pakistan’s special editable version of YouTube to several governments looking for cryptographic backdoors.
At DLD 2016, you have a German politician talking about the mechanism of how the government needed to rollback citizen rights to privacy to give German start-ups a chance. In this winner takes all world, the beneficiaries are likely to be Google, Facebook Amazon and Microsoft rather than a local champion.
I started on this post in mid-January and scheduled it to go out on February 8, 2016. danah boyd also published on the declaration of Cyberspace and I recommend you go and check out here.