Arlington National Cemetery: for those who served, and remained true

Those who attempted insurrection must never be laid to rest at Arlington.

There is a price for freedom and there is a price for dishonor. The history of Arlington National Cemetery reflects both. The land had great appeal to the Quartermaster General of the Union Army, General Montgomery Meigs, because Robert E. Lee’s home rested on it, and he despised Lee for having taken up arms against the Union. The land was unceremoniously wrested from the Lee family in an undermarket tax sale in January of 1864.

Arlington National Cemetary and the Lee Home.
Arlington Cemetery and the Lee Mansion

The first soldier laid to rest there was twenty one year old Private William Christman, of the 67th Pennsylvania Infantry, on May 13, 1864, but he and others were not initially interred near Lee’s house. Such burials happened only later, at Meig’s explicit instructions, so that Lee could not ever return to the estate without seeing the damage he and the rebels had caused. Meigs’ hatred of rebels only intensified with the death of his son John in October, that same year.

Born of such resentment Arlington Cemetery is now the pinnacle of the national cemetery system of the United States, an honor we pay those who have sacrificed, where generals and privates alike share some space.

Congress has denied burial at Arlington to murderers and certain others. They should also strip that privilege from anyone who was part of this year’s attempted insurrection. To allow burial of such people there would be to desecrate the memory of the sacrifice of those who dedicated their lives to our freedoms, many of who gave what Lincoln called the last full measure of their devotion to the Union.

That Bench

An empty bench at the shopping center

Before the pandemic, Saturday was The Big Day in our town. It was the day when people shopped, and it was the day when people socialized. It would be when the Pfadi (the Girl+Boy Scouts) would do their hikes and play their games, and it was where the new and old would meet. And many would do so in the shopping center in the center of town.

A fixture within the shopping center in the center of our town is this bench. I would call it the old Italian bench, because old men would meet there and converse… animatedly… in Italian. And no, if you weren’t old, and didn’t speak Italian, you would certainly not be invited to join in, and you would be frowned upon for sitting on that bench on a Saturday morning. It was their bench at that time, and everyone in town knew it. And why not? It was a pleasure to see them enjoying each other’s company.

That bench has been empty for over a year.

One of the things I missed in California was a sense of community. It has been something that I have treasured in my little town. It is not something that Zoom, WebEx, Meetecho, FaceTime, or Skype can replace, nor is it something that Facebook, Twitter, Pinterest, or WhatsApp can replace. The human contact, not just of friends and family, but of community has been missing.

As we get beyond the pandemic, I hope that bench fills soon, that the animated Italian conversations return, and that families can also meet at that shopping center and let their children play either indoors or out while they have a cup of coffee or a meal together, as we did. I hope we can regain our community.

Who has access to that smart home you’re buying?

You got the keys to the house, but someone else may have the keys to all of the systems inside the house, including the door locks.

You’ve just moved into a lovely house. It has these wonderful smart lights, with a wonderful smart oven, fancy smart thermostats, with a smart refrigerator, smart locks, and a smart security system. There’s only one problem: not only do you not have all that fancy access for your apps, but perhaps the old owner still does, and he didn’t leave willingly, something you don’t know. Sounds crazy? We sure have come a long way from just getting the keys and the garage door openers, and one cannot just call a locksmith.

Philips Hue Bridge
Philips Hue Bridge

Many – but not all – IoT-enabled devices have some form of factory reset capability. Often, this amounts to inserting a paperclip into a pinhole and holding it for 10 seconds or so, but as we’ll see the procedure varies by device type, and it is not possible for some devices. Your stove is unlikely to have anything to stick a metal object in, for instance, nor will outdoor lights. In these cases, there will generally be some vendor instructions. In the case of Philips Hues, the only available reset option is to reset the bridge that is used to communicate with the lights. If the bridge is fastened to the wall, as demonstrated in the picture, this means removing it first. This, by the way, requires not only that the bridge be re-paired with the lights and with your app, but that all configuration for the lights be re-established.

Yale Assure Lever Lock
Yale Assure Lever

What about smart locks? Clearly one of the highest priorities upon taking possession of a home is to control who can enter. If you are leasing a home, some smart locks have master codes that the landlord will set and maintain. In this case, all is “good” (assuming you don’t mind your landlord having access) unless the landlord loses the code. If you bought your dwelling, or if the landlord did lose the code, what to do? Again, this will vary by vendor. For example, here are the instructions for the Yale Assure Lever (YRD256):

  1. Remove battery cover and batteries.
  2. Remove the interior escutcheon to access the reset button.
  3. Locate the white reset button near the PCB cable connector.
  4. Press and hold the reset button for a minimum of three (3) seconds while simultaneously replacing the batteries.
  5. Once batteries are replaced, release the reset button.
  6. Reassemble the lock.

You might be wondering what an escutcheon is. According to Google, it’s a flat piece of metal for protection and often ornamentation, around a keyhole, door handle, or light switch.

SKS Double Oven
SKS Double Oven

Next, let’s have a look at the oven. Let’s say that you have a Signature Kitchen Suite Double Wall Oven such as the one pictured to the left. According to the instructions, all it says is… follow the app instructions. You better hope there are some, or a service call to SKS will be in order. By the way, one might reasonably ask what could happen if you don’t reset this device? First, the device itself won’t be able to receive security updates, assuming the company issues any to begin with. This means the oven could be vulnerable to attack. If the oven app was used by the previous owner, then the chances are, it has joined and would be looking for the old Wifi network. But we really can’t say, because there’s no clear documentation. This holds true for many “smart” devices.

Genie StealthDrive 750 Plus
Genie StealthDrive 750 Plus

Oh and then there’s that garage door. Here’s the Genie StealthDrive 750 Plus, featuring what they call Aladdin Connect. Their stated “advantage” is that you can “Control and monitor the status of your garage door from anywhere with your smart device.” Or the previous owner can. Or your ex-husband can. The good news is that garage door manufacturers have been in business for a long time, and understand the need to deal with lost or misplaced remotes. The bad news is that they haven’t been in the Internet security business for very long, and there are indeed no instructions on how to reset Aladdin Connect, other than to unplug it.

Oh dear.

How does one take possession of that house?!

While it is impossible to provide a comprehensive guide about all smart devices, here are here are some guidelines that will help.

First, learn about what IoT devices are in the house prior to entering a contract, or by including full disclosure and assistance as a contingency of sale. Having documentation and a customer support number available will help to assess what effort is required to shift control from the old owner to you. The simplest case may be for the old owner to transfer control to you in whatever application controls the smart appliance. Otherwise, a reset will be required.

You might want to use a simple table along the lines of the following to assist.

SystemIoT Enabled?Manual located?Known how to reset?Customer Service contact Handoff Complete
Smart Locks
Door Bell
Climate Control
Garage Door
Lighting
Oven
Fridge
Sprinkers
Smart device handover checklist

It may not be possible to reset certain devices, as we discussed. In this case, what is important is that you read the documentation and understand when you have received the necessary supervisory access. You should be able to understand who has control and who doesn’t. If there are passwords involved, you should be change them. If there is a list of authorized users, you should be able to view them and disable the ones you don’t know. If you can’t perform these features, it may cost money to correct the situation. You should know about that cost in advance.

Is all of this Smart Stuff worth it?

While it may help to think about what benefit you will gain by having smart appliances in the house, increasingly the choice may no longer be yours, as IoT capabilities diffuse through the industry. If you are moving into a place, you don’t want to have to worry about who has control of the door locks. If you are installing door locks, you may want to think twice about the headaches that may occur when you move out. Whatever you do, keep all manuals! They will be needed later.

I should point out that the vendors I named in this post are not bad vendors, but in all likelihood representative of where the market is today. Few vendors are likely to do better than them.

Is there hope for the future?

Yes. Smart home device capabilities are still evolving. Just like we had universal remote controls for televisions in the 1980s, at least some access control functions are likely to be aggregated into one or two control systems. The reason this is likely is that no manufacturer really ever wants to hear from you, because phone calls have to be answered by people whose salary takes away from their profits. This means that incentives are likely aligned for manufacturers to cooperate on standards to facilitate handover.

Can the Internet Get “Walled”?

What’s the Suez Canal of the Internet?

The Ever Given blocking the Suez Canal
Ever Given

Over the last few days we bore witness to a minor economic disaster, thanks to the Ever Given having firmly planted itself into both walls of the Suez Canal. The Financial Times gives a very good overview of the factors that to this mishap. In that article, Brendan Greeley describes how the Ever Given got “walled” more so than just grounded, because it implanted itself into the canal walls.

For those of us whose life is about providing resilient services, one has to ask: where was the failure? Mr. Greeley goes into some depth about how the sheer height (beam), weight, and width of the ship, the shape of the canal, the water forces and wind all contributed to this mishap. He also pointed out that the economics favor larger vessels. This is an externality- there is no chance that the owners will ever pay for the amount of damage the blocked canal has caused, which is estimated to have been up to $10 billion. Syria was reportedly rationing fuel because of the blockage, and fuel prices across the globe ticked up. Several ships rerouted to go around the horn of Africa, risking hijackings.

The other far bigger failure here is that there is but one canal through which upon which large portions of the world economy depends. One big anything doesn’t make for good resilience. That canal could fail again. Knowing this, Iran has offered to create an alternate shipping lane, adding at least a bit of redundancy into the system. Ultimately, manufacturers throughout the supply chain can re-evaluate how to manage this sort of delivery delay. Should new lanes be formed? Should more production be closer to the end consumer? A new canal would surely cost tens of billions of dollars, and may offer only limited resilience. After all, why wouldn’t the same failure happen in both canals? In all likelihood it won’t be this precise “walling”, the hope being that canal operators and pilots will update their procedures to limit the risk.

We Internet geeks understand this class of problem in great detail, in many dimensions. A major benefit of cloud computing is to spread load across multiple CPUs in multiple locations, so that no single failure would cause disruption.

Taken individually and impacting individual customers, it’s a sure bet that cloud services are far more reliable than people rolling their own, just as it is safer to use a container vessel than trying to carry one’s products across in a dingy. However, the flip side of that coin is the impact those services have when they fail. Some examples:

WhenWhatImpact
2016Mirai BOTNET / DYN attackTwitter, other services out for a day
2020GMail, YouTube, Google DocsServices disrupted for an hour
2020Amazon Web Services East Coast Data CenterLarge numbers of application services failed
2020Cloudflare DNS outageClient resolvers failed for 27 minutes
2021Microsoft Teams and Office 365Services to their customers unavailable for four hours

Can an Internet-wide failure happen? Where’s that “Internet canal” bottleneck? I wrote about that for Cisco not long ago. It could very well be cloud-based DNS resolvers, such as Cloudflare’s 1.1.1.1. What we know is that these services can fail because they have done so in the past. Last year, MIT sage Dan Geer looked at market concentration effects on cybersecurity risk, which opens up a bigger question. This time, The Ever Given failed without any malice. Geer’s major point is that there is an asymmetric attack on large targets, like popular cloud services. The same perhaps can be said about the Suez Canal.

Note that large cloud services are not the only aggregate risk we face. Geer’s earlier work looked at software monocultures. When a large number of systems all use the same software, a single attack can affect all, or at least a great many, of them. This is just another example of a Suez Canal.

The economic drivers are always toward economies of scale, whether that’s a large cloud service or a single supplier, but at the often hidden price of aggregate resiliency. The cost generally amounts to an externality because of the size and scope of the service as well as the impact of an outage on others are not understood until an event happens. Having not considered it a week ago, some producers are considering this question today.


Courtesy of Copernicus Sentinel data 2021, https://commons.wikimedia.org/w/index.php?curid=102251045

The Challenges of CISOs

Are CISOs investing enough in protection? Do they have good visibility to threats?

Image
Aub Persian Zam Zam

Long ago there used to be a bar on Haight St. called Aub Persian Zam Zam, run by a cranky guy named Bruno. Bruno who hated everyone, and he preferred only to serve martinis.  If you walked in before 7:00pm, he told you that table service started at 8:00pm.  And if you walked in after 7:00pm, table service stopped at 6:00pm. As a customer, I felt a little like a Chief Information Security Officer (CISO). 

CISOs constantly face a challenge with their boards: how much to invest in security. If you haven’t been hacked, then you are accused of spending too much on protection (and might be out of a job); and if you have, then you spent too little (and might be out of a job).  But CISOs have to operate in the here and now. They don’t get to have the luxury of hindsight. What CISOs need is an appropriate level of investment to secure their charges and situational awareness to make good decisions.

Much is being made of the lax security that Solar Winds had. As Bruce Schneier pointed out in the New York Times, they had been hacked not just once, but several times. There was the attack on the company and then there was the attack on their customers. The attack on the customers involved the use of a DNS-based command and control (C&C) network, very stealthily crafted code, and the potential for an infected system to probe whatever was available to it at government and industrial installations across the globe. This may have been particularly damaging in the case of Solar Winds because the legitimate software could have stood in a privileged point within an enterprise, requiring access to lots of other core infrastructure. The Russians picked a really juicy target. They were, if you will, an incident waiting to happen, and happen it did. Solar Winds was detectable, but it required an appropriate investment in not only tooling but back-end expert services to provide situational awareness.

Not every target is quite so juicy. Most hackers hit web servers or laptops with various viruses. The soft underbelly of cybersecurity, however, are the control systems, who themselves have access to other infrastructure, as was demonstrated this past month, when a hacker attempted to poison a Florida city with lye. Assuming they have one, the Oldsmar CISO might have some explaining to do. How might that person do so, especially when it is the very system meant to protect the others? It starts by knowing how one compares to one’s peers in terms of expenditures. It’s possible to both under- and overspend.

Gordon Loeb Model

Optimal investment models for cybersecurity has been an ongoing area of research. The seminal Gordon-Loeb Model demonstrates a point of optimality and a point of diminishing returns for risk mitigation. The model doesn’t given you the shape of either curves. That was the next area of research.

For one, some things are easy to do, and some are hard; but the easy things are often not the right things to do. Low level cybersecurity professionals sometimes make the wrong choices, being risk seeking for big ticket items like device policy management, two-factor authentication, training, and auditing; while being risk adverse to matters that are within their control. Back in 2015, Armin Sarabi, Parinaz Naghizadeh, Yang Liu, and Mingyan Liu set out to answer this question. The table below liberally borrowed from their paper shows a risk analysis of different sectors.

Sarabi et al, Prioritizing Security Spending: A Quantitative Analysis of Risk Distributions for Different Business Profiles, Workshop on the Economics of Information Security, 2015.

What this says is that based on reports received, configuration errors were a substantial risk factor pretty much everywhere but accommodation and food services, but they suffered because employees share credentials. It was a limited survey, and surely the model has changed since then. In the intervening time, cloud computing has become far more prevalent, and we have seen numerous state actors take on a much bigger, and nastier, role. It’s useful, however, is for a CISO to have situational awareness of what sorts of common risks are being encountered, and to have some notion as to what best practices are to counter those risks, so that whatever a firm spends is effective.

Expenditures alone don’t guarantee against break-ins. Knowing one’s suppliers and their practices is also critical. Knowing that Verkada had sloppy practices would have both deterred some from using their cameras, and in turn encouraged that provider to clean up their act. Again, situational awareness matters.


Gordon Loeb Diagram by By Luca Rainieri – Own work, CC BY-SA 4.0