Category Archives: security

The IoT AI Manifesto

With the recent sloppiness in implementation of software & hardware and synergizing them into so called the being called IoT  The time is appropriate that a defacto manifesto be brought in place for the artificial species called IoT.

I assume most of us are aware of the Three Laws by Isaac Asimov.

What I propose is build for the interacting robotics with lesser-minded-human-kind!

  1. An equipment if called IoT should abide by:
    1. It should be considered a legal offspring of the last hand-off human entity.
    2. It should have an IDENTU  mode that should let it spill out its purpose/identity/owners.
    3. It should have safe mode where any voice may command it to stop the current action.(something like a STATUE/RESUME mode)

Pretty simple! Very much make-possible!

Thoughts?

The Slow Moving Manifesto!

If you are being tailgated, we recommend you follow this approach to come out of that situation!

Go Absolutely Slow!

YES, surprisingly it works out just fine!

Purpose: To know who is tail-gating you AND Why?

How it works?

  • If the vehicle following you sees you slowing down, they will have no choice to speed up (which means they were not following you) or look-you-in-the-eye. (either ways, the problem is solved!)

Benefits of slowing down

  1. By slowing down, you opened an opportunity to talk.. Human Connect!
  2. By slowing down, maybe you can have a running conversation, you are driving + talking(giving direction who knows). Saves time!
  3. By slowing down, you saved lifes! No stats but still true!
  4. By slowing down, You enjoy the road-side scenary. (remember enjoy the journey not just the destination!)
  5. By slowing down, You literally look the problem in the eye than running away from it.

There goes, we have the Slow Moving Manifesto!

Credits: Smita, Rachit + (KennyG played in our neighbouring park @ 1000 hrs) 🙂

Rebuttal | Top 9 ethical issues in artificial intelligence (www.weforum.org)

Please read this before understanding the context of this post.

They are asking silly questions, that need to be nullified.

1. Unemployment. What happens after the end of jobs?

It has been established very strongly that weak minds fear technological advancement. If you are not ready to upgrade yourself, you become stagnant in your current work. So overruled! We should have one objective: advancement in technology should not be subject to professions unless it in unethical. Ask the truck drivers, about the ease of remote car locking( I am sure they are using it). Why did they not protest for locksmiths? Its a statement to create unnecessary tensions.

2. Inequality. How do we distribute the wealth created by machines?

Why? If you stumble across a pot of gold in AI for by providing some solution, you choose how you spend the money you own. Did anyone ask how to distribute money <some-business-tycoon> earned from their business? Such events occur and machines do not own wealth, there’s no inequality.What’s this question for?

3. Humanity. How do machines affect our behaviour and interaction?

We might need to start training everyone on this front. Already we(atleast I) find myself struggling in my behaviors and interactions with fellow humans, another human like AI, with no heart and consciousness, well you are only going to make things complicated. Hence the need for training. Related post here.

4. Artificial stupidity. How can we guard against mistakes?

Remember what Einstein said about Stupidity? Well we should solve/address things that are solvable and not something unpredictable. Can we program stupidity? I think we are still far from it.(stupid != foolish)

5. Racist robots. How do we eliminate AI bias?

Why do we put racist behavior inside AI first? Fix the root, you get a better fruit. See #7 resolution for more on this.

6. Security. How do we keep AI safe from adversaries?

Propaganda. Read a resolution for it in my earlier post here.

7. Evil genies. How do we protect against unintended consequences?

Simply have an insurance policy for AI: Any person/entity who produces an AI product, will be held responsible for any consequences coming from it. And that ownership will be lifetime. Not conditional or not lease based. I do not know why have we forgotten Newton’s 3rd law!

8. Singularity. How do we stay in control of a complex intelligent system?

Two examples come to mind: Alphabet and UN. One is perfectly managed complex system(Alphabet) and the other is a hopeless mess of crap(UN). Learn from Alphabet. I doubt if there is any other convincing organization really working for us humans, genuinely.

9. Robot rights. How do we define the humane treatment of AI?

I am surprised this question is being raised by heartless minds. Rights are for entities that have life(insects,plants,animals,humans qualify). Have we arrived at a state where human rights are protected on whole planet forget about the others? Unless that state is not arrived at, it is unfair to ask for something called robot rights. Did we ask for TV’s rights and camera’s rights and toasters rights? Referencing this post here again.

Hope this takes the thought process in a better direction.

When the internet was crippled to a halt! ~ The dDos attack – A Post Mortem

The Problem

Couple of days back, 21-October-2016 everyone connected on the web experienced sluggishness in connecting to the normal sites and saw obstruction in their regular works.

The scenario can be visually described as follows:

DDOS Attack Explained
DDOS Attack Explained

Incase you might be wondering why this attack happened now, the internet is way mature, why can’t it protect itself from such attacks?

Well, then do read on…

The Players

From an ideal perspective the players in the attack are listed:

  1. Users of the web (us) (attackers and victims)
  2. ISP’s (medium through which attack was carried out)
  3. Device Manufacturers (Things, which got compromised — zombies)
  4. Regulatory Organizations (They are mostly sleeping or doing other important silly stuff, lets leave them out of this discussion)

The Premise

Let us look at those questions asked earlier and more:

What is dDos?

It stands for distributed Denial of Service. Consider your regular pesky thing that you have to do and can’t live without?(siblings,kids,neighbours.. anyhuman thing). They come nagging to you, you can handle it but maybe 10 requests in a day a max! The 11th request from that pesky thing will get a denial of service response!(simply a No!)

Now,Imagine yourself at a play house. And you are already having a minor headache(it was Friday, everyone was in the mood to relax). Multiply your single pesky thing with say 10, you are bombarded with pesky request from everywhere, what will happen to you? You might handle say 20 requests at that moment, looking at the situation, but a time will come soon where you will get exhausted and simply stop responding to important requests of like : open the door, and you are standing still!

You just got dDos’ed 🙂

Can you explain it in layman’s terms?

Here is the wikipedia entry.

I still did not get it..

See this:

Why this attack happened now?

It was waiting to happen, its like too many cooks, spoil the broth kinda scenario. Lot of unpatched/sloppy devices connected to the internet working for you and they all had a common zombie entry point, that simply got activated!

The internet is way mature, why can’t it protect itself from such attacks?

I am sure there are some orgn that were actually fighting this menace! Imagine a hospital unable to get reports of a patient in critical condition!So I am pretty sure what got reported and what actually got fixed and treated is somewhat different. So the internet is not at all mature, we are still not ready to have our life depend on it, our livelihood might depend on it but not life!So some orgn might be involved (even now) preventing many such attacks to keep the internet working, and some sleeping regulations might have also protected and saved us from a much more severe attack!

The rules are pretty simple, everyone is united on this matter and no one likes a dDos attack to happen! It actually interrupts normal/perceived flow of life on a day-to-day basis.

So basically its the attackers who (misued?) a compromised device and affected the network. Its pretty clear, there is something that needs to be fixed/controlled in the wild. And its not impossible..

Onto the solution then, shall we proceed?

The Solution

Two parts solution can be proposed:

  1. Regulation. In an ideal world, regulation is already in place and device manufacturers are supposed to follow them and hence they are able to sell their products. So something stronger needs to be put in place for regulation. Say if a device is an IoT kinda device, then as per regulation it should be allowed to use 5% of the bandwidth. If its a phone or a computer, then it will not have such a restriction, or maybe it can have!
  2. ISP Level Quota Software. ISP’s would want to pitch in this idea, where a custom configuration software would be installed at per user site and there based on the MAC address the bandwidth quotas can be defined. Say you got a new IoT device for your home, you will get to configure and set a max bandwidth that device is allowed to consume on your home network.

Thoughts?

Bots – BOring Tasks Systematized!

We are surrounded and supported by a bots ecosystem. I will try to bring that into perspective to evaluate the current rate of explosion of bots and newer solutions coming around it — and how to stay human still!

Connected with the Bot Ecosystem!
  • When we wake up,with help from an external alarm clock , we are taking help of a Bot.
  • When we are parking our car and when reversing it, there is a smart system that warns us for the exact safe-distance to keep going. That’s a smarter Bot!
  • Notice the cool soap dispenser that spits soap when we put our hand under it? That’s a Bot!
  • Recall the automated vacation response you configured in your favorite email client? Well, you have guessed, that’s also a …Bot!

We have never thanked these systems for their existence, for we know they are physics concepts glued together mechanically. A Thank-You comes and goes via a heart! 🙂

Coming back to the topic, now imagine all of those Bots, fusing into a single system with a human structure!

SuperBot
Hey, I am SuperBot and can do everything that was listed above & much more!
  • What was your reaction when the last time, your car backing system told you incorrectly that you were 1 meter from an obstacle while there was a gap of roughly 5 meters!
  • When was the last time your alarm clock did not wake you up?(battery out or way too low?)
  • Isn’t it way irritating when the mechanical soap dispenser does not spit the soap, instead only throws out the air?
  • Haven’t we all misfired a wrongly configured vacation response and feeling way embarrassed and apologizing for it for all day long to colleagues and co-workers!?

As for the premise, these bots *independently* do their job perfectly. But when they break, nothing else is affected around it. Well I am yet to hear about misconstruing a vacation response due to a non working soap dispenser!(all right that’s way too much exaggeration — but we get the point!).

The fact that they are disconnected, allows us, the user of that system to fallback/switch to another means. Say the car backing system is down, well ask a passerby to help you. Your alarm clock is out, well start working on your body’s alarm clock(no excuse here!).

I will construct two hypothetical views that are actually happening in the bots eco-system and obviously I am opposed to such developments. Hence suggesting a way out, as I cannot stop these movements.

  1. Once these systems are connected, and one of its components starts acting strange(see I elevated it to a human), the whole behavior might be eccentric to say the least. If your SuperBot is out of battery, it might just get you to wake you up but might not be able to help you with and send the vacation responses.
  2. Add the internet to the mix!

    I’m out of order but controlled via the internet.

The take away from the whole story:

  1. Let us as individuals, not try to fuse all our bot dependency into a single system. It makes it highly probable to fail and although it gives us lot of convenience, but at a high cost of dependence. This whole connected thing is a convenience at the cost of our freedom.
  2. The most secure sites are still subject to theft/fraud ( I am only referring to financial losses). When a fused bot with the thinking of the whole internet is there, and one small error/condition unchecked/unnoticed will be not safe, to say the least.

As for the bots ecosystem, I would love to see

  • a centralized parking bot, letting a big relief to all humans from this petty job
  • an aerial bot that delivers newspapers

But then again, I won’t allow either of them talk to each other, A single Bot good for One Task. 🙂

Learn Exactly How I Improved My Digital Security and Privacy In 2 Days

You have zero privacy anyway, Get over it! – Scott McNealy ~ 1999

What is the real fuss all about?

In real life we have privacy, well kind of, no stranger can enter our houses still? Well think again from an evil strangers perspective, there are layers of security already there that ensure our security:

Systems: Govts,Municipality,Locality,Society,House.

People: Police,Neighbours,House occupants,Passerby,You.

Q: So why is it that the digital security has caused so much trouble?
A: Each and every individual (You) & their digital account (your) is a potential target for the evil stranger!
Here’s the simple math: online world population x online accounts per person == potential virtual estate targets for the evil stranger!
Assuming that a person has a single email account atleast, the online world is as insecure as the real world, add to the mix these accounts are held by anyone from 8+ years to 60+ age with varying degrees of meaning of security in their minds!

Defining the attacks

All attacks can be broadly arranged into these 2 categories!

  1. Illegal entry (un trusted)
    These attacks are generally entrusted to be taken care by the system you are connected to! Say you go a friends place for a dinner; you would not expect to take care about your food from the dacoit running on the streets! You would trust your friends premise would take care of this already, any mischief would be assumed to be an illegal entry actually questioning the system as a whole!
  2. Pretending to be someone else (trusted)
    Its not just people, systems can now also presume our identities and hence are subject to being trusted or not! When this happens, the systems can be abused on behalf of an individual. So it is not just a stranger mis-using your credit card, but worse, a lesser-known stranger!

The Warrior Approach

Every digital identity is under attack, and like in the real world, a responsible citizen keeps their ears and eyes open, in our digital avataar, we ought to think likewise!
There is no fool-proof way to secure your digital identity except taking care of known best practices! You break the rule; you end up paying the price depending on where you committed the mistake!

  1. Choose better passwords
    a)Create/Update and change your existing account passwords from here http://passwordsgenerator.net/b)If you have a number of connected systems and too many passwords to manage, think about getting a password management system(they are not safe too!) or best keep them in an offline system with a ready access!
  2. Never trust a new system
    The least you trust a new system, its fun when it turns out to be totally trustworthy, and if not atleast you don’t end up loosing a fortune!
    Use this mantra in life too, good results recommended! 🙂
  3. Never trust a known system too much!
    Know your limits, you own your body totally, but a flu attack can happen on the best of days uninvited!
    Even your trusted disconnected home system is subject to virus attacks from the chinese-make pen-drive!
  4. You are as secure as the world around us!
    The equation of trusted<->non-trusted keeps getting updated regularly, that keeps the battle on between the evil strangers and the white hats!
  5. Question Everything!
    If you are not finding the answers, start looking for the right ones elsewhere! Don’t take anything for granted, for the but obvious, have an inquisitive mind!

Few years into the future, and these practices might not change, only the systems we interact and correlate with will keep upgrading!

Conclusion

The Question is, how do we trust

Workout Guy

from

Tiffany

Either be a paranoid like Agent J or start following the warrior approach! 🙂

PS:This was written for an opening @ THN.

Securing your AWS instance!

A daunting task of getting the things secured in the app! Here’s a plethora of links that can help anyone lost/looking to get it done!

  • Cant trust https? Well, roll out your own, AT YOUR OWN RISK!(A must for even https GET calls)
    http://dacrazycoder.blogspot.in/2013/09/encrypt-url-parameters-using-aes-in.html
  • openssl | Getting started with the certificate
    https://www.digitalocean.com/community/tutorials/how-to-install-an-ssl-certificate-from-a-commercial-certificate-authority
  • Look here if nothing works!
    http://www.thefarmdigital.com/blog/technology/how-do-i-setup-ssl-on-aws-elactic-load-balancerelb/
  • FF issue(double check in the browser too!)?
    https://sslanalyzer.comodoca.com/
  • AWS docs(perfect example of information overload)
    http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/configuring-https-elb.html
    http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.managing.elb.html
    http://serverfault.com/questions/356598/why-cant-i-reach-my-amazon-ec2-instance-via-its-elastic-ip-address
    http://serverfault.com/questions/238976/cname-to-aws-public-dns
    http://pushentertainment.com/rds-connections-by-instance-type/(DB)
  • Testing what you have
    http://mxtoolbox.com/productinfo/domainhealth
    https://www.sslshopper.com/ssl-checker.html
    https://sslanalyzer.comodoca.com/
  • Small things(Hacks!)
    http://stackoverflow.com/questions/22290821/using-a-wildcard-ssl-with-a-cname-pointing-to-ec2-instance
    http://passwordsgenerator.net/

Dont forget, if you have a front controller for your aws, you need to apply the certificates there also!

And finally once all is set up turn off your http listeners for port 80! 🙂

And here’s a link to end the atrocities of the monopoly of the so called CA’s : https://letsencrypt.org/ 😀

Public Network Passwords under attack!

With options like this which are available now, the public network passwords are a vulnerable lot today!
Coming to the solutions mode, the question that raises concerns and needs to be addressed is:

How to protect public network password from brute force attack?

And we think about the answers:

1/Biometrics?
No, can be easily imitated, and IMHO, causes the power to rest with anyone who has power/money.

2/Special fonts?
Kinda-OK, the fonts that are created, should reside on a system only.
Limits mobility, but sure seems a viable option.

3/Thick client logins?
Yup, Can be mobile, enables a secure area.
More like double-check locking!

4/Best of 3 login attempts?
Black list the brute force IP. (+)Good for cleaning up the internet, (-)bad for businesses!

5/Image/Non-Text based passwords?
(+)Increases complexity (+) can be copyrighted/encrypted (-)Need to carry that picture always! (-) little randomness.

What could give the password crackers a new challenge?
It seems brute force is won over and the text books needs to be edited!