Archive for May, 2017

But what about usability?

Wednesday, May 17th, 2017

Thin and beautiful devices are commonplace nowadays, but it feels like nobody cares about usability any more.

What got me thinking about this is the age of my laptop. It’s an older Lenovo and has an awesome keyboard. We’re talking full keys, long travel, pre-chiclet design. My laptop is ugly as sin, but really easy to use when I travel. Sooner or later I’m going to have to replace this thing, and it seems that all laptops nowadays have chiclet keyboards. Ugh. I find it difficult to type at any appreciable speed on chiclet keyboards.

The newer keyboards look nicer, but they are harder to use. Smaller keys and shorter vertical travel.

This is a part of a larger trend.

Another example is very thin phones — with too small batteries and consequently less-than-desired battery life. I’d really rather my phone was 1mm thicker, a few tens of grams heavier, but had twice the battery life. I think most consumers might agree with me on that one.

Want another example? How about SIM cards. Oh how I hate the shrinkage of SIM cards! I travel often and instead of paying high roaming fees, I like to pick up a local SIM card when I arrive at foreign airports. That works great, but the SIM cards themselves have become so small that they are hard for someone with adult-size fingers to manipulate. Was it really necessary to shave off an extra few square millimeters? All SIM cards are electronically identical — the shrinkage is just in the plastic surrounding the chip. The original SIM card design was quite small, and new “micro” and “nano” SIMs are awful.

I’ve got more examples! Ports on laptops are one: Many new laptops either omit ports (Ethernet, VGA, etc.) or require dongles. Looks great, very thin, but quite a nuisance to use. Laptop power adapters are another. Why are there a hundred different kinds of plugs? All laptops consume 20V and about 5A – so why do we need so many shapes and sizes of power plugs?

Maybe this is an opportunity for some manufacturers to carve out a niche, selling to users who care about usability:

  • Build slightly thicker devices, with more ports and bigger batteries.
  • Support “big” SIM cards in phones.
  • Standardize on something like USB-C PD for power, even in laptops.
  • Advertise that these devices are built to be used, not just looked at.

Patch management in an IoT world

Tuesday, May 16th, 2017

The recent WannaCry ransomware spreading around the world has been both tragic and predictable. Tragic because it knocked out organizations doing important work, like the NHS in the UK. Predictable because there is a growing gap between security practices in the information technology (“IT”) and operational technology (“OT”) arenas.

In IT, we’ve learned long ago that software is inherently buggy and a reasonable defense against that is to patch — automatically and as quickly as possible once a patch is released. This reduces the window of opportunity for attackers.

We can talk about other causes – the NSA weaponizing zero-day exploits or hackers stealing and remarketing that stuff – both are problems – but I don’t imagine either of these things is going to end any time soon.

We can point to Microsoft for introducing the bug in the first place, but to be fair their coding practices have been pretty good over the years and their response to security problems has been exemplary.

What remains is us, the end customers patching known problems.

Our IT shops generally do a pretty good job, though this bit of ransomware certainly caught out a few who may have not had the skills, mandate or funding to do it right.

What we aren’t talking about is systems that are not managed by any IT organization. Operational systems control the doors and heating and cooling systems in our offices. They run devices ranging from security scanners at airports to camera surveillance at the mall. These are “operational technology” — same basic technology as IT, but used to interface with and manage physical systems.

The trouble with OT is that it gets installed by people without IT skills. Heating/ventilation/air conditioning (HVAC) vendors install PCs that keep us warm or cool. Physical security vendors install camera and door control systems. The list goes on. These are often people without IT skills. Worse, the systems they deploy are installed and forgotten. They keep running, without anyone thinking much about them, for decades.

Here’s a cool example: an old Commodore Amiga system running HVAC in a school for 30 years:

http://www.popularmechanics.com/technology/infrastructure/a16010/30-year-old-computer-runs-school-heat/

Historically, these systems have not been connected to any network. Their security basically relied on physical isolation, both from other computers and — behind locked doors — from unauthorized people. It didn’t matter if the code was buggy and exploitable, because only one or two authorized people could physically interact with them.

The world is changing, however. Your HVAC or security vendor wants to be able to assist you without a site visit. You want to be able to monitor who just walked into the building without leaving your desk. These systems are getting connected to (at least) private networks and in some cases to the public Internet.

That’s a problem, because these systems run old code, without anyone looking after security, such as firewalls, OS patches, intrusion detection, anti-malware, etc.

This is the brave new world of “Internet of Things” where old, unpatched devices perform critical functions and also get IP addresses.

We should worry. It doesn’t matter how good a job we do building IoT systems today, how confident can we be that what we build today will still be secure in 10 years? 20? 30?