Saturday, June 17, 2017


This is a joint blog post with my food blog. A trip through St. Louis gave me a chance to catch up with my former student Jason Fritts, who is now a professor at St. Louis University.  Jason is well known for his work in multimedia computing and is the main organizer of the MediaBench benchmark series.  Over pizza he told me about his amazing project to builod accelerometers into a flycasting rod.  I think he said that the tip hits 30-40 Gs.  Very cool stuff.

Friday, June 16, 2017

EU Draft Report on Privacy and Electronic Communication

The European Parliament has released here a draft report on a proposed regulation on privacy and electronic communication.  This report is long and technical, but it does describe at least encouraging a variety of measures to protect the privacy of electronic communications, such as enryption.  It also specifically mentions metadata as worthy of privacy protection.

This report probably is intended to cover email, social media, etc. But it does seem to me that much of the language is general enough to cover all sorts of other communications. Messages and data samples from IoT devices are, after all, electronic communications. The data and control packets on a distributed control bus are also electronic communications.

Commuication within and between IoT and CPS devices and systems deserve privacy.   A large body of work has shown that quite a bit can be inferred about a person and their activities from a small number of samples.  However, these systems often run in real time and under power constraints.  The encryption and privacy techniques appropriate to IoT and CPS are, in general, quite different from those for information technology (IT) systems.  Let's hope that privacy protections cover all the bases and do so in a manner appropriate to the wide ranging ways in which we use computers.

US-CERT Warning on North Korean DDoS Botnet

The U. S. Computer Emergency Readiness Team (US-CERT) has issued this alert TA17-164A on North Korea's HIDDEN COBRA cyberwarfare unit and their efforts on building botnets for DDoS attacks.  This page includes links to indicators of compromise (IoC) to be checked by system administrators.  US-CERT that people who find evidence of these tools should be reported to either the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch). The alert identifies tools and capabilities including DDoS botnets, keyloggers, remote access tools, and wiper malware. It says that HIDDEN COBRA primarily targets older versions of Microsoft OSs as well as Adobe Flash.

Wednesday, June 14, 2017

Personal and Public in IoT Security

IoT devices present us with an interesting combination of concerns in the private and public spheres.  On the one hand, a poorly secured IoT device can present a safety hazard to its owner.  An insecure or poorly designed IoT garage door controller, for example, can lead to burglaries, improper operation of the door, etc.   Some of those same vulnerabilities can allow the device to be used in attacks on other parties, the recent Dyn attack being a prime example.  I am hard pressed to find a corresponding linkage between personal safety and public safety in non-computerized devices.  But even if other parallels exist, the scope of possible problems that can be caused by insecure IoT devices is troublesome.

Monday, June 12, 2017

Point-of-View Article on Safe and Secure CPS and IoT

The latest issue of Proceedings of the IEEE is out and it contains a short point-of-view article by Dimitrios Serpanos and me on safe and secure CPS and IoT.  We argue that safety and security are no longer separable.  We observe that best practices in both safety and security need to be applied to modern systems, but that new methods will also be necessary.  A special issue on this topic will appear in PIEEE a few months from now.  In the mean time, this article summarizes our vision for the design of these critical systems.

Thursday, June 8, 2017

IT Methodologies Should Learn from CPS

I have said on more than one occasion that Internet connectivity makes the CPS V methodology inadequate.  The V methodology works top down for design, then bottom up for implementation, forming a V.  It implicitly assumes that the specification is static, giving a known target for the end of the V.  The changing threat from the Internet undermines that assumption.
However, we should keep in mind that many CPS systems make use of software from the IT world, whether it be licensed or open source.  IT developers can no longer assume that their customers are solely from the IT world.  They need to take into account the requirements of cyber-physical systems.  To satisfy those requirements, they should adopt the more stringent verification and validation approaches embodied by the V methodology.
Many software IP modules are developed relatively independently of applications.  A V-methodology-based approach would condition the release of these modules on validation within some exemplary systems.  System-integrated testing from both IP and CPS domains would help to shake out bugs in both the implementation and specification.
Agile software development emphasizes fast development of disposable software.  That approach makes sense for some domains.  But long-lived modules require a different, more deliberate approach.  The confluence of IT and CPS encourages us to invest in the careful design and construction of building block modules.

Thursday, June 1, 2017

Criminal Gang Steals Jeeps Using Authentication Codes

Extremetech reports here on a motorcycle gang that stole 150 Jeeps using replacement key codes in a stolen database.