Entries Tagged ‘Risk Management’

Is embedded security necessary?

Wednesday, February 16th, 2011 by Robert Cravotta

I recently had an unpleasant experience related to online security issues. Somehow my account information for a large online game had been compromised. The speed in which the automated systems detected that the account had been hacked into and locked it down is a testament to how many compromised accounts this particular service provider handles on a daily basis. Likewise, the account status was restored with equally impressive turn-around time.

What impacted me the most about this experience was realizing that there is obviously at least one way that malicious entities can compromise a password protected system despite significant precautions to prevent such a thing from occurring. Keeping the account name and password secret; employing software to detect and protect against viruses, Trojan horses, or key loggers; as well as ensuring that data between my computer and the service provider is encrypted was not enough to keep the account safe.

The service provider’s efficiency and matter-of-fact approach to handling this situation suggests there are known ways to circumvent the security measures. The service provider offers and suggests using an additional layer of security by using single-use passwords from a device they sell for a few bucks and charge nothing for shipping.

As more embedded systems support online connectivity, the opportunity for someone to break into those systems increases. The motivations for breaking into these systems are myriad. Sometimes, such as in the case of my account that was hacked, there is the opportunity for financial gain. In other cases, there is notoriety for demonstrating that a system has vulnerability. In yet other cases, there may be the desire to cause physical harm, and it is this type of motivation that begs this week’s question.

When I first started working with computers in a professional manner, I found out there were ways to damage equipment through software. The most surprising example involved making a large line printer destroy itself by sending a particular sequence of characters to the printer such that it would cause all of the carriage hammers to repeatedly strike the ribbon at the same time. By spacing the sequence of characters with blank lines, a print job could actually make a printer that weighed several hundred pounds start rocking back and forth. If the printer was permitted to continue this behavior, mechanical parts could be severely damaged.

It is theoretically possible to perform analogous types of things with industrial equipment, and with more systems connected to remote or public networks, the opportunities for such mischief are real. Set top boxes that are attached to televisions are connecting to the network – offering a path for mischief if the designers of the set top box and/or television unintentionally left an opening in the system for someone to exploit.

Is considering the security implications in an embedded design needed? Where is the line between when implementing embedded security is important versus when it is a waste of resources? Are the criteria for when embedded security is needed based on the end device or on the system that such device operates within? Who should be responsible for making that call?

Can we reliably predict the winners?

Wednesday, February 9th, 2011 by Robert Cravotta

The Super Bowl played out this weekend and the results were quite predictable – one team won and the other lost. What was less predictable was knowing which of those teams would end up in the win column. Depending on their own set of preferences, insights, and luck, many people “knew” which team would win before the game started, but as the game started and continued toward the final play of the game, many people adjusted their prediction – even against their own wishes – as to the eventual outcome of the game.

Now that this shared experience is passed, I think it appropriate to contemplate how well we can, as individuals and as an industry, reliably predict the success of projects and technologies that we hope for and rely on when designing embedded systems. I think the exercise offers additional value in light of the escalating calls for public organizations to invest more money to accelerate the growth of the right future technologies to move the economy forward. Can we reliably predict which technologies are the correct ones to pour money into (realizing that we would also be choosing which technologies to not put research money into)? In effect, can and should we be choosing the technology winners and losers before they have proven themselves in the market?

Why does it seem that a company, product, or technology gets so much hype just before it falls? Take for example Forbes Company of the Year recipients Monsanto and Pfizer which appeared to be on top of the world when the award was given to them and then almost immediately afterwards faced a cascade of things going horribly wrong. I will only point out that competition in the smartphone market and tablet computing devices has gotten much more interesting in the past few months.

I remember seeing a very interesting television documentary on infomercials called something like “deal or no deal”. I would like to provide a link to it, but I cannot find it, so if you know what I am referring to please share. The big take away for me was one segment where a 30 year veteran in the infomercial world is asked if he knows how to pick the winners. The veteran replied that the success rate in the market is about 10% – meaning that of the products he down selects to and actually brings to market, only 10% are successful. Despite his insights into how the market responds to products, he could not reliably identify which products would be the successful ones – luck and timing still played a huge role in a product’s success.

Luck and timing are critical. Consider that the 1993 Simon predates the iPhone by 14 years and included similar features that made the iPhone stand out when it was launched including a touch screen.Mercata predates Groupon, which Google recently acquired for $2.5 billion, by almost a decade; timing differences with other structures in the market appear to have played a large role in the difference between the two company’s successes. In an almost comical tragedy, the precursor to the steam engine that was perfected by Hero (or Heron) of Alexandria and used in many temples in the ancient world, barely missed the perfect applications at Diolkos – and we had to wait another 1500 years for the steam engine to be reinvented and applied to practical rather than mystical applications.

I meet many people on both sides of the question, should we publicly fund future technologies to accelerate their adoption. My concern is that the track record of anyone reliably predicting the winners is so poor that we may be doing no better than chance – and possibly worse – when we have third party entities direct money that is not their own to projects they think may or should succeed. What do you think – can anyone reliably pick winners well enough to be trusted to do better than chance and allocate huge sums of money to arbitrary winners that still need to stand up to the test of time? What are your favorite stories of snatching failure from the jaws of victory?