Conference:March 6-8, 2017
Workshops:March 9-10, 2017
Keynote: Security War Stories: The Battle For The Internet of Things
Location:
- Fleming / Whittle, 3rd fl.
Day of the Week:
- Monday
The current age where privacy is no longer regarded as "a social norm" may not long survive the coming of the Internet of Things. To a lot of people the digital Internet still isn't as real as the outside world. But it's going to be a different matter altogether when your things tattle on you behind your back. If everything is smart, everything will soon be measuring, calculating, and weighing your life. Suddenly its not just your email, or the photographs of your cat, but your heart rate, your respiration rate, and you slept the night before.
But the rush to connect devices to the Internet has led to sloppy privacy, and sloppy security. That can't continue. We therefore will pick over the Internet of Things battlefield of the last couple of years and point out poor architectural choices, poor decisions, and poorly secured things. The hope is that these battle stories can inform future architectures, and make hindsight the best foresight. Because we need to fix the Internet of Things before it becomes a threat to the Internet itself.
Interview
The talk focuses on the sort of security problems people face when building Internet of Things devices, and the underlying differences between the Internet of Things and the digital Internet that drive those security issues. For instance, a lot of computer security is based on the assumption that you don’t have physical access to the computer. It’s one of the classic mantras: “If they have access to the keyboard, you’re done. You don’t have any security.” That’s a traditional view of security. But for a smart device that’s a ridiculous idea. The whole point of Internet of Things devices is you have physical access to it, that you can hold it in your hands. So that’s one of the things people are doing wrong. What I want to do is try to present a series of war stories, and try and pull more general lessons from those stores.
One place where Internet of Things is really exposed to end users is in the hotel industry—radios, lighting, doors, all those types of things—it’s a leading indicator of the problems when smart devices and people interact. So I plan to share a couple of the war stories around hacking hotel smart systems.
The message I’m trying to get out is that security of physical devices is crucial because of their longevity. These Internet of Things devices will be with us for years, but people are building these devices with a very Silicon Valley mindset. They are building them with idea that they’ll go away in a year, or perhaps two at the most, and you’ll buy another one. But think about that, when was the last time you replaced your boiler? When was the last time you replaced all the light bulbs in your house, or your door locks?
These devices are going to live in our environment, in our homes, for 10 or even 20 years. We’re talking the lifespans of cars, refrigerators, and cookers. You therefore have to assume the software and hardware architectures behind those devices are going to be with us for the same amount of time, and right now people aren’t taking that into account. We have to build them to be discoverable, updatable, and maintainable. What happens when the company that built them has gone bankrupt. Do the devices, the very fabric of people’s homes, just stop working?
There are two big takeaways. Firstly, we really need to build security into our things from the ground up, it’s our responsibility to make sure these devices don’t go out into the wild, into people’s homes—into their lives—and leave them vulnerable. Security isn’t about computers, it’s about people. Currently as an industry, as developers, are failing them.
Secondly, the software architectures of the devices we’re building will fundamentally affect the business model of your company. Right now, the business model behind most smart things is simple: consumers make a one-time purchase of the thing, without any commitment to a subscription to support the cloud services that make the thing “smart” in the first place.
Manufacturers are therefore gambling that the ongoing maintenance costs for the cloud services will be low and that a sufficient number of new customers will buy the thing to cover ongoing costs with new business. Unfortunately, these assumptions about the number of new customers have proven overly optimistic.
Right now there are three big problems with the Internet of Things, security, refresh cycle, and standards. Off the three only standards is really being talked about as a problem. However the other two are by far the more important.
Similar Talks
Similar Talks
Tracks
-
Architecting for Failure
Building fault tolerate systems that are truly resilient
-
Architectures You've Always Wondered about
QCon classic track. You know the names. Hear their lessons and challenges.
-
Modern Distributed Architectures
Migrating, deploying, and realizing modern cloud architecture.
-
Fast & Furious: Ad Serving, Finance, & Performance
Learn some of the tips and technicals of high speed, low latency systems in Ad Serving and Finance
-
Java - Performance, Patterns and Predictions
Skills embracing the evolution of Java (multi-core, cloud, modularity) and reenforcing core platform fundamentals (performance, concurrency, ubiquity).
-
Performance Mythbusting
Performance myths that need busting and the tools & techniques to get there
-
Dark Code: The Legacy/Tech Debt Dilemma
How do you evolve your code and modernize your architecture when you're stuck with part legacy code and technical debt? Lessons from the trenches.
-
Modern Learning Systems
Real world use of the latest machine learning technologies in production environments
-
Practical Cryptography & Blockchains: Beyond the Hype
Looking past the hype of blockchain technologies, alternate title: Weaselfree Cryptography & Blockchain
-
Applied JavaScript - Atomic Applications and APIs
Angular, React, Electron, Node: The hottest trends and techniques in the JavaScript space
-
Containers - State Of The Art
What is the state of the art, what's next, & other interesting questions on containers.
-
Observability Done Right: Automating Insight & Software Telemetry
Tools, practices, and methods to know what your system is doing
-
Data Engineering : Where the Rubber meets the Road in Data Science
Science does not imply engineering. Engineering tools and techniques for Data Scientists
-
Modern CS in the Real World
Applied, practical, & real-world dive into industry adoption of modern CS ideas
-
Workhorse Languages, Not Called Java
Workhorse languages not called Java.
-
Security: Lessons Learned From Being Pwned
How Attackers Think. Penetration testing techniques, exploits, toolsets, and skills of software hackers
-
Engineering Culture @{{cool_company}}
Culture, Organization Structure, Modern Agile War Stories
-
Softskills: Essential Skills for Developers
Skills for the developer in the workplace
Conference for Professional Software Developers
