The Internet of Unpatched Vunerabilities

A friend recently posted some concerns about how flaws in TVs and other smart devices could be used to spy on us. I responded with some of my observations and thought it made sense to expand on it for a full blog post. While this is an issue that the security industry has been warning about for years now,  there has been little action on the part of the consumer-electronics industry, which is rapidly becoming the #1 source of computers (AKA “The Internet of Things”).

The Stupidity of “Smart” Devices

There are several problems with most of the new “smart” devices. First of all, there is no security engineering put into any of these products (even “security” ones, like home router/firewalls), so architectural flaws that should have been caught early on make it into the device (don’t get me started on WPS). They are also often based on open-source platforms, which isn’t a problem in itself, but those platforms have security flaws discovered all the time and are rarely — if ever — updated on the devices. Since these devices have no ongoing update process (when was the last time you updated the firmware on your TV?), there is no way to ensure that these devices don’t have open, well-known, vulnerabilities.

When you buy a computer or iOS device (sadly, Android is a different story — more on that later), you have some guarantee that there will be some period of updates available and it often happens in the background, automatically. This doesn’t happen with consumer devices — especially ones that get refreshed every year, like TVs and Audio Receivers, and they’re becoming more and more ‘connected’ every day. Even home routers are not immune to this process (which people have started to notice). You’re lucky if they ever get around to releasing an update fixing core functionality issues, as all development work typically stops when they start ramping up production on next year’s model.

Problems with Home Routers

As I mentioned earlier, people are starting to notice this problem with home routers. A new worm (“TheMoon“) made news by attacking flawed Linksys E-Series routers that no longer receive updates. This was right after another vulnerability in Asus routers made news from people finding notes on the attached hard drives. These were both relatively benign, but they could just as easily have been malicious, as the attackers gained full control of the devices. According to research by Tripwire, 80% of home routers have security vulnerabilities. They went on to show that most people (even IT professionals) don’t change default settings that open the devices up to more potential vulnerabilities (many don’t even change the default password!)

Unfortunately, there will probably be little to no support for changing this situation in the near future. OEMs have no incentive to update devices once they’ve been released and consumers don’t demand updates. Even after all the news about breaches, stolen credit cards, and identity theft, it’s still difficult to get users interested in security, period.

Android’s Update Problem

Interestingly enough, this is one of the primary reasons that Android has ~20% market share in Corporate environments for phones and <10% for tablets, while over 70% of the consumer phone market (the #1 reason is still that >90% of mobile malware is on Android). This is something I have personal experience with, as I write mobile device security standards (among other things) for a Fortune 200 company. Enterprise users care about ongoing support and security updates in ways that most consumers don’t. As a result, I expect to see some changes on that front as Android OEMs try to be more appealing to Enterprise clients. Just in the past week, HTC announced that they will be supporting their flagship Android devices with updates for 2 years, but this seems to target those wanting new features, not necessarily to support security updates.

It certainly looks bleak at the moment (“it’s always darkest before the dawn — or before it all goes black”), but there are still ways that this can be solved. However, this is already a long enough post and the solutions are not simple, so I’ll be writing a follow-up with some ideas on how to solve this.

Posted in Gadgets, Security

Bike MS 2012

Lisa and I have been lightly mountain biking for several years and started getting into road cycling this last year. This is partially due to my brother and his wife regularly doing rides like the Oregon Bike MS 150 (100 miles the first day, 50 the second) along with several other longer rides. They even completed this years AIDS/LifeCycle (which runs from San Francisco to LA) a couple of weeks ago. We decided to join them this year on the Bike MS ride this last Saturday, trying to complete the 60 mile course (we’re didn’t feel ready to ride 100 miles in one day).

We spent the last few months building up the appropriate gear (though I may have gone a little overboard with some of the upgrades to the bikes) and building up to the point where we considered a 10-mile ride to be a “short ride”. The weekend before Bike MS, we did a 45-mile ride with considerable hills (include some 11% grades) and felt like we could go further at the end (we just didn’t want to exploit our babysitters time beyond what we had already — thanks, Mom & Dad!), so we felt prepared for the 60-mile ride.

Well, we didn’t quite make the full 60 — I guess trying this on the hottest day in the last 3 years was a bad idea. The first half was great, but at about the 30 mile mark, the temperature started gaining quickly. We heard that several of the 100-mile riders switched to the 60 route at that point. It might have helped that the worker at the corner was pointing at the 60-mile route and said “Beer!” and then at the 100-mile course and said “Hills!”.

Then, at the last rest stop, Lisa’s shoe wouldn’t disengage from the pedal — one of the screws that held the cleat in had fallen out! We got some help and were able to get it functional with only 1 screw holding it in, but it started to come loose again after a mile or so and was hurting her on the climbs.

Before that rest stop, I accidentally checked the temperature (I was trying to avoid knowing) and it was 103 F! When we decided to call it at 54 mi, we ran into another cyclist who saw it as high as 106! This was just too hot for us (especially me) and the cleat problems were a real safety issue (you don’t want your foot attached to the bike if you get in an accident). However, it was the heat that really sapped our energy. We even heard that several people who signed up for the 100 and switched to the 60 ended up pulling out before the end.

We’re now looking for another 60-miler to do next month (hopefully on a cooler day) so we can complete it, but we’re still proud of the accomplishment we made. We’re both sure we would have been able to complete the 60 if it weren’t for the heat — we’re from Oregon, so we’re just not used to it!

Posted in Cycling, Road Cycling | Leave a comment

Asking the Right Questions

‎”Answers are easy. It’s asking the right questions which is hard.” (The Fourth Doctor, The Face of Evil, 1977)

A few weeks ago, I attended the NAMM Show (put on by the National Association of Music Merchants) in Anaheim, which is the biggest music equipment show in the world with over 90,000 attendees and numerous vendors trying to sell all types of gear and services to help people make music. Anyone reading this who noticed that I tagged it with ‘Security’ is probably wondering at this point what this has to do with that topic, but keep with me — it’s worth it.

During the course of the show, I attended several classes on various recording techniques. Most of these classes ended with a question and answer session. What struck me was that during every single session, the same questions were inevitably asked and most of them boiled down to “What should I buy?”. There were subtle variations, of course, such as “What is your FX chain?” or “What mics do you use?”, but these questions aren’t actually what the people actually wanted to know, though it’s what we’ve been trained to ask. I’ve seen the same flaw in the security industry, where people constantly ask what to buy to protect them, but this isn’t the right question in that situation, either.

What people actually wanted to know at NAMM was “How do I make my recordings sound like yours — or at least sound better?” While at security conferences, the questions is “How do I protect my company (or organization) and its data?” Perhaps part of the reason we don’t ask these questions is that they are much more complex. Asking what to buy is a simple question with a quick answer and a point in the right direction. Another big reason is that these conferences, by their very nature, are product-oriented, so the thought of what you can buy would come naturally.

To move forward, we need to stop looking for the easy way out and work to ensure that we solve the root problems. To make better recordings takes time and experience (and working with several types of gear to get the desired result). The more recordings you do, with a variety of styles and artists, the better you will tend to get at it. For security, research and hard work are involved, as many of the problems are have no definite solution — everyone’s doing the best we can with the resources available. Many people have solutions to pieces of the problem and you will need to work out what the best answers are (and it may include some equipment or services).

I think The Doctor (or actually Chris Boucher, the episode’s writer) was simplifying things a bit in the above quote, since there are many questions which do not have easy answers. However, you’ll never get the right answer if you keep asking the wrong questions.


Posted in Music, Security | Leave a comment

Lack of Updates

I can’t believe it’s been so long since I last posted. I’ll try to keep this up a little better this year, but between my family, work, and my band, there just hasn’t been much time.

While I would love to update it once a week, I know better than that. I’m actually going to try to post about once a month. I’m hoping that by putting this in writing, I’ll have a better chance at actually keeping up with it. Only time will tell if that’s true.

Update: Well that didn’t last long. Unfortunately, I’ve had a hectic travel schedule the last few months and was not able to keep up as I would have liked. The truth is, like many other people who started blogs, I’ve found that it’s just not as important as I thought it might be.

C’est la vie.

Posted in Site News | Leave a comment

Why Are Tablets So Popular?

Now that the iPad 2 is out and several competitors have been announced, the tablet market is all of a sudden the new hot technology that everyone has to have. When the first iPad came out, I was part of the chorus that derided it as being just a larger iPod Touch with no real added value. I had an iPhone at the time and saw no need to rush out and get an iPad — I had the iOS ‘experience’ already and didn’t see the value aside from a larger screen. However, when the iPad 2 came out I was ready to buy the first day and have been very happy in my first week of ownership. What had changed from the iPad 1 and why had the iPad found success where countless others had tried and failed?

Tablets are not exactly a new thing, as I remember using several Windows tablets more than 5 years ago that had all the same basic concepts that modern tablets have, but they were glorified PCs with touch screens that required a stylus. They also weighed several pounds and were really meant to be used when laid on a surface instead of held in your hand constantly. The iPad created the modern tablet, cutting down the weight and using an OS that was designed to be used with a finger instead of a mouse. The first iPad quickly was seen as good for web browsing and email, which is what many of the first buyers used it for, but it was considerably more expensive than a netbook or used laptop which could easily do the same — and at the time, more. This lead many to make fun of iPad purchasers.

Then something happened. Developers started writing apps uniquely for the iPad inspired by it’s book-like qualities, touchscreen, and light weight. These ranged anywhere from games to book readers to apps that turned the iPad into a full-fledged musical instrument. The latter was much of what caught my attention. Applications like MorphWiz and miniSynth Pro, along with the new Apple GarageBand allowed users to create music with both new instruments and reproductions of existing instruments, as well as to use the iPad as a portable recording studio. In fact, the band Gorillaz recently made an entire album on the road using only an iPad for all the recording and most of the instruments.

Another use that came out was one that musicians have dreamed of for years — a digital music stand. All your music is displayed on a screen that you either touch or hit a foot switch to flip the page. There are now several apps that do this. Before the iPad, there were only a couple of vendors making such a solution, but they required expensive, custom hardware and software and were out of the reach of most musicians.

Another app that has caught my attention since I bought the iPad is Flipboard. It scrapes content from multiple sites and displays the first part of each page in a format that looks more like a newspaper or magazine along with pictures from some of the articles. You can even set up your own feeds based on twitter accounts or RSS feeds. It is a very fast way to browse through sites and find which articles are of interest which you could then tap to pull up the full article. I highly recommend it for anyone who has an iPad.

There are plenty more examples out there and more coming every day. I just heard that an update to the game Real Racing HD is coming out which allows you to use the iPad as a controller and secondary display for a racing game that will run on your HDTV. The graphics quality is comparable to that of a PS3 or Xbox 360.

Another area that is perceived as an advantage is that most people feel that you are more secure using a mobile device than a PC. However, it’s really not the case and will probably be the subject of a later blog posting.

Now that the Apple has created the modern tablet with the iPad, I expect that the market will continue to expand. With some new competitors in the space, there will continue to be advancement in tablets over the next few years, but they will all use the same basic formula created with the iPad. But what will really drive advancement in their use is software.

My new iPad has almost completely replaced my personal laptop for everyday use since it’s faster, has a nicer (albeit smaller and lower resolution) screen, is more portable, and the apps work much smoother. In fact, I actually wrote this entire blog post using my iPad (though I did use a wireless external keyboard) using the WordPress app. While my total cost was slightly higher on the iPad, the addition of the portability, long battery life, and touchscreen, along with all the new applications I’ve been using has made it quite worthwhile. If you haven’t tried using a tablet, I recommend that you do (the iPad is still the best currently, but competitors are starting to catch up). They are definitely more than just a fad and will be continuing to grow in use in the future, replacing the laptops of more and more people.

Posted in Gadgets | Leave a comment

Thoughts on The 2011 NAMM Show

Band From TV Performing at The NAMM Show

Band From TV Performing at The NAMM Show

A couple of weeks ago, I was able to attend The NAMM Show for the second time. For those who don’t know, The NAMM Show is the annual event that brings together all of the music equipment manufacturers, the retailers who sell them, and many musicians. This is where most major new product releases occur and also serves as an industry reunion.

The biggest part of the show is the exhibit floor, which fills most of the 800,000 square foot Anaheim Convention Center. This a great place to get hands on with more music gear than you can find anywhere else. You also have direct access to people who know the gear much better than your average Guitar Center salesman.

Me with Sheila E and her brother, Juan Escovedo

Me with Sheila E and her brother, Juan Escovedo

Since this is a music convention, of course there are concerts around every corner. The first one I attended was the second annual NAMM Night of Worship, which had everything from modern worship musicians like Tommy Walker, to former pop star and still excellent percussionist Sheila E, to Christian Pop/Soul band Newworldson (who I had not heard of before, but impressed me with their technical ability and showmanship).

We also checked out the Band From TV; Greg Grunberg’s (Heroes, Alias) side project with a number of other TV stars including Jesse Spencer (House), Adrian Pasdar (Heroes), Bob Guiney (The Batchelor), and Scott Grimes (American Dad, ER). Hugh Laurie (Dr. House, himself) normally plays with them, but couldn’t make it to this show. The band is actually pretty good and could probably do quite well even without their celebrity.

This year had a number of great new percussion technologies that look really exciting (my primary instruments are drums and percussion). The biggest of these were the new Zildjian Gen16 Acoustic/Electric cymbals. These are a radical new design that has thousands of holes and are made from a special alloy that reduce their volume by 75-80%. They then use a pickup system that sits under the cymbals which is routed through a DSP to  make them sound more like a traditional cymbal.

All in all, it was a great trip and I look forward to going back in the future. The NAMM Show is always full of innovation and great music and will continue to do so in the future. If I get time, I’ll try to put up some more detailed product reviews from the show.

Posted in Music | Leave a comment

New Blog

I’m a bit behind in getting a blog, seeing how just about everyone and their cat has one now. However, I didn’t really want to build one unless I had something to say and had some time to put into it (I had to give up waiting until I had time — that was never going to happen).

I’m going to try to focus on Security issues, but will also have some updates on music, cars, gadgets, and my family. Basically, whatever suits me at the time.

I hope you enjoy the site!

Posted in Site News | Leave a comment