Privacy in the Age of IoT

The advent of internet enabled ever-connected smart devices in our everyday lives has led to a large-scale proliferation of the Internet of Things into every aspect of our modern lives. It has now become more important than ever to understand the security and privacy risks associated with connected devices. With smart home devices, office tools, home automation systems, children’s toys and even medical devices becoming an integral part of our digital lifestyles, becoming technology aware and understanding the key implications of technology in personal privacy and security should be a key priority for every individual. The advent of internet enabled ever-connected smart devices in our everyday lives has led to a large-scale proliferation of the Internet of Things into every aspect of our modern lives. It has now become more important than ever to understand the security and privacy risks associated with connected devices. With smart home devices, office tools, home automation systems, children’s toys and even medical devices becoming an integral part of our digital lifestyles, becoming technology aware and understanding the key implications of technology in personal privacy and security should be a key priority for every individual.

What is IoT?

The Wikipedia article on The Internet of Things (IoT) defines it as:

• A system of interrelated computing devices, mechanical and digital machines,
• That are provided with unique identifiers (UIDs) and 
• The ability to transfer data over a network
• Without requiring human-to-human or human-to-computer interaction.

IoT as a concept is still in a state of relative infancy in society, as are the regulations that accompany it. At its core, IoT involves the collection, classification and use of data captured by the sensors, which is processed in the cloud and is used to inform decision making and actions driven by the device logic. 

What is Privacy?

In the age of connected devices it can become tricky to define what is privacy – Is privacy a fundamental human right? Is it a right to be left alone? While talking about privacy in the context of information technology and the Internet of Things we tend to focus more towards Information Privacy. However, it isn’t always as simple as just maintaining secrecy. It is also about the right to have some degree of control over how our personal information is collected and used.

Privacy isn’t really about keeping things private, it’s not about secrets, it’s about choice.

Privacy refers to the ideology that individuals should have the freedom, or right, to determine how their digital information, mainly that pertaining to personally identifiable information, is collected and used. 

Impact of IoT on Privacy

Surrounded by a world full of sensors talking not just with us but also with the internet, where data about our everyday activities, our likes, our dislikes, our views and our beliefs is stored in the cloud, the implications of the advent of the age of IoT has serious implications on privacy and security. The potential for such data to be packaged and sold for a variety of purposes is in turn converting us to the product as opposed to being the consumer. While using a lot of free to use services, we might not be paying for using the service with money, but rather with our data, which might not be intended for sharing with anyone

Because a host of convenient smart devices now continuously collect, dissect and process data to make our lives more convenient, they have also magnified the threats to data privacy.

Our ability to collect and process data has overwhelmed our ability to protect that information. Our smartphones, fitness trackers, smart TVs, and even smart appliances generate a massive amount of sensitive information, from browsing habits to purchasing patterns to real-time location and personal health information.

It’s no longer just our photos and emails, but also our heart rate, respiration rate, location, what we eat and even how we sleep. We are left with no more personal spaces since we give service providers the permission to sell our data while accepting the Terms & Conditions for free services. The privacy and attention we’re trading for our “free” services and content is now much more personal. Particularly where sensitive data is concerned, IoT can put the privacy of individuals at risk.

Implications of Identity Management and Data Ownership with IoT 

The issue with this deluge of data leads to the problems of identity management and data ownership. Is the collected data really anonymous? Who owns the data being collected by connected devices to make these devices smart? The footprint our devices leaves on the Internet tells a story. How much of our personal narrative are we willing to trade off for the sake of convenience? The biggest issue while dealing devices like personal assistants that are always listening, is the concern around controlling the narrative around this story.

Even though it might seem counter intuitive, data privacy does not necessarily mean keeping our data private. Rather it focuses upon taking charge of what we choose to divulge about ourselves. With every smart device that we acquire, we leave an ever increasing trail of data. With an increase in the number of smaller and smarter devices, service providers can paint highly detailed portraits of almost everything we do. As such, connected devices deserve a healthy dose of skepticism when it comes to information security and data privacy. 

The GDPR – A ray of hope?

For over three decades we have debated over privacy in the internet, with not much success. The internet of things is however still in its infancy. Since regulation moves at a snail’s pace, it’s still mostly up to CEOs, executives, and employees to reject projects that put profit over privacy. 

IoT devices do provide many benefits, from convenience in the home, to tracking health and well-being. However, consumers are often blind to the risks associated with the sharing of personal data, until a big breach of that data occurs. IoT and connectivity are growing rapidly, so more and more potential vulnerabilities may be introduced if no security strategy was applied during the design phase. 

It is thus the responsibility of technology organisations and governments to come together to educate society about the value of their personal data and be more transparent about the way in which they process the data. 

The European Union’s General Data Protection Regulation (GDPR) is a step in the right direction; however, other nations need to adopt similar rules to ensure the privacy of individuals is protected.

Enterprise responsibilities for data privacy

Managing the risks associated with data collection begins with making the gathered data more secure. It’s high time to look into what privacy truly requires. 

• Accountability and Transparency: Service providers handling consumer data need to be accountable for its privacy and security. Inclusion of IoT-specific language in data privacy agreements with clear, concise and transparent policies around data handling and protection is of utmost importance. 

• Privacy focussed Lifecycle design: Objects need to be designed for privacy by default and manufacturers need to look at the implications of the data that they want to collect. There’s a need for an effort to look at the whole lifecycle of a smart device and go beyond the GDPR. From design to manufacture to eventual disposal, there’s a need for an effort to make more ethical design choices. Manufacturers should ensure that security keys and IoT device provisioning procedures comply with security and privacy data management guidelines. Architecture and data storage should be designed in such a way that enables GDPR compliance.

• Inclusion of new levels of security and privacy provisions: To make IoT solutions secure and enable privacy, manufacturers need to include security features for data protection at early phases of architecture design. Integration with third-party services have the potential to introduce new concerns, so it is crucial to check that all components comply with stringent policies and guidelines to provide interfaces that are secure. Inclusion of security and privacy monitoring components into the IoT ecosystem would be highly beneficial from a service provider as well as consumer point of view. 

Wrapping up

Privacy is something that comes from within us. Whether we realize it or not, we are responsible for posting a lot of our own private data. We need to be conscious about privacy, and if we are not then we pay the price one way or the other. It’s high time for us to take our privacy seriously. Irrespective of whether we are a developer or a consumer we need to be aware about our choices and make conscious decisions around our personal privacy rather than just focussing on convenience.

References:

1. https://en.wikipedia.org/wiki/Internet_of_things
2. https://en.wikipedia.org/wiki/Digital_privacy
3. https://kromtech.com/blog/security-center/what-is-privacy
4. https://iapp.org/about/what-is-privacy/
5. https://www.researchgate.net/publication/333305381_Privacy_in_the_New_Age_of_IoT
6. https://www.brighttalk.com/webcast/17125/333169/privacy-security-in-the-age-of-iot
7. https://medium.com/@aallan/has-the-death-of-privacy-been-greatly-exaggerated-f2c4f2423b5
8. https://medium.com/pcmag-access/facial-recognition-technology-doesnt-have-to-destroy-privacy-65c8ed953645
9. https://blog.trendmicro.com/data-privacy-age-iot/
10. https://www.csoonline.com/article/3434079/data-privacy-in-the-iot-age-4-steps-for-reducing-risk.html

Working around untrusted certificate errors in Express JS

A few very common fatal errors thrown by the request module for express while trying to access data from self-signed web servers are Error: DEPTH_ZERO_SELF_SIGNED_CERT and UNABLE_TO_VERIFY_LEAF_SIGNATURE

This is because of https://github.com/nodejs/node-v0.x-archive/pull/4023 which mandates NodeJS to validate a server’s certificate by default, which needless to say is how things should be in a production environment.

However, more often than none we tend to use self-signed SSL certificates in our development environments or even within internal networks.

Thankfully for such brain-wracking moments, two particular flags come to our rescue. Enter strictSSL and rejectUnauthorized. The way I personally like to use these flags, is to set defaults within my development environments as follows to bypass SSL validation hence, saving the day! 🙂

var request = require('request').defaults({
    strictSSL: false,
    rejectUnauthorized: false
 });

Please do note, that I do not recommend that you ever try this on your production systems without understanding the true implications of what disabling strictSSL and rejectUnauthorized means for you node server. By disabling these, you are essentially telling your server to skip validation of the requested server’s identity, which leaves your application in quite a vulnerable position.

Rebooting the Bugsmith’s Blog

It’s been a long long time since I last posted in this space. I guess I had been a bit too caught up with life and had been overly focused on my job.

Recently, I realized that I have become quite dormant in the open source communities, and it has been quite some time since I made a worthwhile commit on GitHub / Pagure / BitBucket/etc. My GitHub streak now looks mostly empty which means I have been lazy for over a year now.

So, enough with the slacking around for so long. It’s time to reboot the Bugsmith and get back to the groove of things.

It’s time to draw a line and balance out all the imbalances in my current everyday life. This means fixing my office work schedule, being a bit conscious about my health, and most importantly, getting back to doing something worthwhile with my life.

So, here’s the plan:-

1. I’ll start posting more often about anything and everything.
2. I’m gonna start sharing as much of my everyday learning related to tech and non-tech using this blog as a medium.
3. Finish up all of my pending work [mostly personal stuff which I have been ignoring for a long time now].
4. Get back to contributing more pro-actively to Open Source projects which I find interesting.
5. Get back to attending tech-meetups in my vicinity and beyond.
6. Well basically, get my stuff together and get back to being awesome yet again. 😉

Let’s see how I manage to cope up with my self-expectations! 🙂

Installing Firefox Nightly with Australis on Fedora 18 / 19 / 20

Screenshot of Firefox Nightly with Australis on Fedora 19

Are you a Fedora user who wants to check out the new Australis Theme for Firefox scheduled for release with Firefox 28? However, you are a bit apprehensive of letting go that stable release of Firefox in bundled within your Fedora installation by default, just in case something goes wrong with the nightly beta release.

If this is what defines your current dilemma, fear not. You can have both the stable as well as the nightly beta versions installed simultaneously in your computer in a few simple steps without any trouble at all! Here’s how to do it in case of Firefox Nightly version 28 [the latest release at the time of writing this post]:-

Step 1: Login as Super User:-

$su

Step 2: Get the nightly package:-

Go to http://nightly.mozilla.org to get the latest available nightly build for your system.

Firefox Nightly Webpage

Alternatively, you can use the command line tool wget to directly download it via the command line as follows:-

#wget http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/firefox-28.0a1.en-US.linux-x86_64.tar.bz2

Step 3: Extract the contents of the tar ball as follows:-

#tar -xvf firefox-28.0a1.en-US.linux-x86_64.tar.bz2

Step 4: Rename the extracted directory to “nightly”:-

#mv firefox nightly

Step 4: Create an installation directory:-

#mkdir /opt/firefox

Step 5: Move the contents of the “nightly” directory to the installation directory:-

#mv /nightly /opt/firefox/nightly

Step 6: Create a Symbolic link for the Nightly installation:-

#ln -s /opt/firefox/nightly/firefox /usr/local/bin/nightly

Step 7:Run Firefox Nightly by typing the following within the command line or the alt+f2 launcher:-

For command line: $nightly

For alt+f2: nightly

Step 8: Relax and enjoy the Australis awesomeness! 🙂

22.572646
88.363895

From Netscape To Firefox: The Story Of Mozilla Firefox

Introduction

The history of Mozilla, upon which Firefox was built, extends all the way back to 1994, when the name was first established as a branding for the “mosaic killer,” Netscape Navigator. Mozilla as a modern day institution found its beginnings in 1998, when Netscape decided to release the source code of its dying browser to the open source community. Even later still, the browser that would become Firefox did not come into existence until 2002. In a sense, Firefox 1.0 came out in 2004 after 10 years of laying its foundations.

Origins

The origins of Firefox can be traced directly to Netscape, a compan­y whose Web browser, Netscape Navigator, was the dominant browser before Microsoft developed Internet Explorer. The internal company name for the browser was Mozilla. Eventually, Netscape released the source code for Navigator under an open source license, meaning anyone could see and use the code. A non­profit group was set up to direct the development of browsers using this code. This group became the Mozilla Foundation in 2003.

However, Firefox is not the browser the Mozilla group would have released if everything had gone as planned. Like Netscape Navigator before it, the Mozilla software was becoming bigger and bigger as more features were added in ­­ a problem in software development known as “feature creep” or “bloat”.

Around this time, the Firefox project was started as an experimental branch of the Mozilla project by Dave Hyatt, Joe Hewitt, Chanial and Blake Ross. Instead of accepting the feature creep, Blake Ross, (a computer enthusiast who first started helping out the Mozilla project as a hobby when he was 14) decided to start developing his own Mozilla­ based browser, focusing on a streamlined and simple version. Software developer Dave Hyatt also played a major role. Ross was joined by Ben Goodger in 2003, and development progressed rapidly from that point.

They believed that the commercial requirements of Netscape’s sponsorship and developer­ driven feature creep compromised the utility of the Mozilla browser. To combat this perceived software bloat[1] of the Mozilla Suite [2] they created a stand­alone browser, with which they intended to replace the Mozilla Suite. On April 3, 2003, the Mozilla Organization announced that they planned to change their focus from the Mozilla Suite to Firefox and Thunderbird.

Although the Mozilla Foundation had intended to make the Mozilla Suite obsolete and replace it with Firefox, the Foundation continued to maintain the suite until April 12, 2006 because it had many corporate users and was bundled with other software. The Mozilla community (as opposed to the Foundation) continues to release new versions of the suite, using the product name SeaMonkey to avoid confusion with the original Mozilla Suite.

On February 5, 2004, business and IT consulting company AMS categorized Mozilla Firefox (then known as Firebird) as a “Tier 1” (“Best of Breed”) open source product, considering it technically strong and virtually risk­-free.

Naming

Phoenix:

The project which became Firefox started as an experimental branch of the Mozilla Suite called m/b (or mozilla/browser), underwent several name changes. After it had been sufficiently developed, binaries (experimental versions) for public testing appeared in September 2002 under the name Phoenix. The Phoenix name was kept until April 14, 2003, when it was changed because of a trademark dispute with the BIOS manufacturer, Phoenix Technologies (which produces a BIOS­ based browser called Phoenix FirstWare Connect).

Manticore:

The foundations of Phoenix progressed along an entirely different development mindset from its parent Mozilla. Instead of focusing on large application suites developed by large development teams headed by senior programmers, Phoenix centered around a small, core development team concentrated exclusively on the web browsing aspect of the Mozilla Suite. The ideas for these small volunteer projects had manifested themselves earlier with David Hyatt and Ben Goodger’s Manticore browser, built on Netscape and Internet Explorer using C# and .NET. However, where Manticore looked to offer basic browsing functions in a lean form factor, Blake Ross and David Hyatt’s Phoenix looked to innovate on the browsing experience, focusing on security and utility as the pillars of the new browser. Unconstrained by the business­ minded Netscape, Ross and Hyatt could develop a browser “completely focused on the end user.”

Firebird:

In April, 2003, Mozilla announced it would call its new browser “Firebird”­­a mythical creature sometimes considered synonymous with the phoenix, an immortal bird that regenerates itself through self­immolation, to avoid the Phoenix conflict. The new name, Firebird, met with mixed reactions, particularly as the Firebird database server already carried the name. It provoked an intense response from the Firebird free database software project. In response, the Mozilla Foundation stated that the browser should always bear the name Mozilla Firebird to avoid confusion with the database software.
Confusingly enough, the sponsor of the Firebird database development group, went by the name of IBPhoenix (no relationship to Phoenix Technologies, which presented the initial trademark challenge to Mozilla). Formed in 1984 by InterBase Software and acquired by Borland Software in 1991, the group had launched the Firebird free database open­ source project in 2000.

Firefox:

Continuing pressure from the Firebird community forced another change, and on February 9, 2004 the project was renamed Mozilla Firefox (or Firefox for short). The name “Firefox” (a reference to the red panda [3]) was chosen for its similarity to “Firebird”, but also for its uniqueness in the computing industry. To ensure that no further name changes would be necessary, the Mozilla Foundation began the process of registering Firefox as a trademark with the United States Patent and Trademark Office in December 2003. This trademark process led to a delay of several months in the release of Firefox 0.8 when the foundation discovered that Firefox had already been registered as a trademark in the UK for Charlton Company software. The situation was resolved when the foundation was given a license to use Charlton’s European trademark.

Versions

The Firefox project went through many versions before 1.0 was released on November 9, 2004. After a series of stability and security fixes, the Mozilla Foundation released its first major update, Firefox version 1.5, on November 29, 2005. Version 2.0 was released on October 24,2006. Firefox 3.0 was released on June 17, 2008, with Version 3.5 and Version 3.6 released on June 30, 2009 and January 21, 2010 respectively. Version 4.0 was released on March 22, 2011. With Version 5.0 onwards the rapid release cycle was realized which envisions a new major version release every six weeks on Tuesday. Firefox 10, was released on January 31, 2012. The latest version, Firefox 10.0.2 was released on February 16, 2012

Key Terms

1. Software bloat is a process whereby successive versions of a computer program include an increasing proportion of unnecessary features that are not used by end users, or generally use more system resources than necessary, while offering little or no benefit to its users.
2. Mozilla Suite: Codenamed, internally referred to, and continued by the community as SeaMonkey, which integrated features such as IRC, mail and news, and WYSIWYG HTML editing into one software suite.
3. A Firefox is another name for the red panda, a red­-furred, endangered mammal related to the giant panda and found in the Himalayas, China and Myanmar.

References

1. http://en.wikipedia.org/wiki/Firefox
2. http://en.wikipedia.org/wiki/History_of_Firefox
3. http://www.foxkeh.com/downloads/history/history­original.pdf
4. http://news.cnet.com/2100­1032_3­1000146.html
5. http://web.archive.org/web/20070914035447/http://www.ibphoenix.com/main.nfs?a=ibphoenix&page=ibp_Mozilla0
6. http://news.cnet.com/2100­7344­5156101.html
7. http://www.zytrax.com/tech/web/firefox­history.html
8. http://computer.howstuffworks.com/internet/basics/firefox1.htm
9. http://www­cs­faculty.stanford.edu/~eroberts/cs201/projects/firefox­market­dynamics/
10. http://www.andrewturnbull.net/mozilla/historyfx.html