Preventing the IoT Dystopia with Copyleft- Bradley M. Kuhn
The S in IoT stands for Security
Many stories of people hacking into baby monitors and home cameras
IoT Devices often phone home to manufactorers website in order that you can access then remotely. “I suppose there are Chinese hackers watching my Dogs all day, I hope they will call me if they need water etc”
Open source people have historically worked to get around problems like this.
1992 – If you wanted Linux, you downloaded the software onto floppies and installed it yourself. And Often had to work hard to make it work.
Today only a small percentage of laptops sold have Linux on it.
But Linux is commonly installed on IoT devices – 90% odd
No [easy] way to reinstall it yourself
Much worse than laptops
GPL includes “The scripts used to control the compilation and install of the executable”
“Freedom to Study” is not enough
Linksys Wifi router
Release forced from Linksys and Cisco
“Source as received from Linksys from GPL enforcement”
Is OpenWRT a Unicorn
Few projects with serious alternative firmware project
Still sold new after 20 years
Before IoT was even a term
At least one model of Samsung TV -> samygo.tv
“Baffles me as to why do the manufactorers want us to buy more hardware”
Linux focuses to much on big corp users and ignores hobbyist users
Kernel peopel only care about the .c files. Don’t care about the install scripts etc.
People at top of Linux now got their start hacking on the devices in front of them.
The next generation of developers will be those hackers not from IBM and other big companies
You didn’t need anything but a computer and an internet connection to become and upstream developer in those days. This is becoming less true.
If the only thing you can install Linux on is a rackmount server, a cloud server or maybe a laptop and none of the IoT devices around you then things don’t look good….
Linux was successful because users could install it on their own devices
Linux won’t remain the most important GPL program if users can’t install their modifications. Tinkering is what makes Free software great.
Upstream matters of course, but downstream matters more.
There may be 1000s of Linux developers
Put 2 billion people have Linux on their phone – Which is locked down and they can’t reinstall
We don’t need a revolution to liberate IoT devices
because the words are already there in the GPL
We just have to take up our rights
What you can do.
Request Linux sources on every device you own – Companies have figured out people almost never ask
Try to build and install them. If you can’t ask a friend or ask Conservancy for help
If it doesn’t build/install it is a GPL violation, report it Conservancy
Step up as a leader of a project devices that matter to you.
Why this will work
The problem seems insurmountable now, only because we have been led astray
First and absolutely necessary step towards privacy and scurity on those devices
When the user controls the OS again, the balance of power can be restored
Best way to ask for source code? Try email, the manual should say.
How to get the new code on the device? Needs some push onto industry
What if writing requires expensive equipment? Fairly rare, many devices allow over-the-air upgrades, we should be able to go the same way.
Is there a list of compliant devices? – Proposed in past. Want to go softly at first in many cases
Am I exposed to liability if I modify and distribute code I receive? – Almost certainly note, contact Conservatory if you are threatened.
Web Security 2019 – James Bromberger
History of browser
Netscape with crappy ‘International Security”
https takeup is growing
Chrome is hitting 60-70%
82% of browser are “modern”, crossover of chrome users to new version is about 3 months.
Remove early TLS in mid 2018
TLS 1.1 and higher allowed
The legacy browser has gone in the real world
Some envs still behind, but moving ahead
What can we do with as little changes as possible?
0. Don’t use http, use https
Stds reducing max length of certs from 5 years
1. TLS protocols
7 versions out there (old ones SSL).
Most over 10+ years old
Only 6 in the wild
3 not-known to be comprimised ( 1.1 1.2 1.3 )
Very few clients only support 1.1 and not 1.2 (small gap in 2006-2008 ). IE supports 1.2. So maybe disable 1.1
Log the protocol being used so you have data on your users
OTOH not much supports 1.3 yet
Use 1.2 and 1.3
Turn off on the Browsers to
Looks at which libraries you are using in code that makes https connections
2. Cypher Suite Optimisation
New EC certs for key exchange
New certs getting changed to ECDSA
AES is standard for bulk encryption. GCM mode is best although windows 9 can’t do (Upgrade to 10!)