[Cryptography] Confidentiality and IoT (was: Old Let's Encrypt's Root Certificate expires...)

Jerry Leichter leichter at lrw.com
Sun Oct 3 22:35:56 EDT 2021

> Veering even farther off-topic, I don't really think confidentiality
> is the problem with where IoT is going.
> I recently had my home HVAC replaced and the installer put in what
> had the potential to be a "smart thermostat" but the "smartness" of
> it depended on me creating an account on some random Web site,
> giving its operators my personal details, and then configuring the
> thermostat to report what's going on to them so that they could in
> turn provide me with access to *their* data about my home....
This is a way broader trend.  There's a big push within the entire IT industry to make everything "Web-centric."  It used to be that you managed your routers or other devices by connecting to command line interfaces.  These were replaced, starting 10-15 years ago, by embedded web servers.  Now the trend is to have an Internet connection back to a service provided by the vendor.  Cisco, for example, has a whole bunch of Internet-based management services for your Cisco products (and more) https://www.cisco.com/c/en/us/products/cloud-systems-management/product-listing.html

These things to have their advantages for their users.  I don't know about Cisco specifically, but an early pioneer of such services was PureStorage, which monitored storage arrays you got from them and did things like automatically send you an email if something was beginning to go bad and dispatch someone to fix it.  (Actually, DEC did something of this sort by the early 1980's, but it had to be based on dialup lines!)  For the vendors, though, such services are an immensely valuable source of information about what users are actually doing with their devices.  And, of course,t the line between fixing issues and selling can be thin - if your PureStorage array is filling, they're only to happy to offer you a good deal on some more storage.

So ... even those services that aren't moving into public clouds are, at the control level ... moving to cloud.

All kinds of things are subject to the same pressures.  Cars are increasingly network nodes - Tesla is leading the way, but others are following close behind.  The big sales pitch for 5G isn't even vaguely phone services - it's exactly this kind of integration of everything all the time.

I - and others - observed many years ago that there's a great cycle in centralization/decentralization.  The grand dream of Multics was of the "computer utility":  Computation coming out of a wall socket.  Then we went through a long move to minicomputers and microcomputers and PC's and all that stuff.  These days, the Cloud and the Internet in general are moving us back to the computer utility model - even as we push not-so-long-ago unimaginable amounts of power into people's pockets and onto their wrists.

It's actually fascinating to look at Apple as an example, as they on the one hand are pushing really hard to move as much as possible out onto phones - local processing of more and more; contrast to Google's vision of their cloud providing you with a ton of processing to help your phone be clever - while on the other leaning more and more on "services" which bind you closer and closer to them on line.

There are tons of tradeoffs here, but they aren't discussed - the companies involved make them for all of us.  Just try to buy a non-smart-TV these days.

                                                        -- Jerry

More information about the cryptography mailing list