Saturday, January 25, 2014

Internet of Things: What Strange Things Can Happen

It was about 6 years back, by when we have started to see WiFi enabled digital cameras and we were wondering what this has to do in a digital camera. But with that, the digital cameras were able to upload the captured images automatically to the cloud based photo albums. Later came in GPS equiped digital cameras, which attaches the location to the captured images. Of course, with smart phones equiped with higher resolution cameras, the digital cameras are on the downfall. That is just a well known example of how a 'thing' or a smart thing can connect to a network and share useful data for a purpose. So much have evolved since then and we now see a world of possibilities to have all the 'things' connected.

Researchers see a lot of benefits by making things smart and inter-connecting them. The networking technologies are also evolving at a brisk pace, offering various improvements over the wireless technologies and protocols. We can see this trend advancing further and may mature in about two decades from now. Looking further, in line with my blog on Human Interface Technology, even humans can remain connected, and that will render human disabilities a thing of the past century.

If you followed this year’s CES, it is evident that the future is all about connected devices. We could see everyday devices equipped with sensors and connectivity to work together, understand what we’re doing, and operate automatically to make our lives easier. Here are some of real world examples of Internet of Things:

A smart refrigerator that can read the embedded tags on the grocery items that are stored in it and then using the supported backend platform on the cloud, identify the items and fetch its details as to date of manufacture, expiry date, quantity, etc. Thus the fridge may alert the consumers about the state and stock of such items. With the kind of wearable gadgets that we see now, these alerts can be through such devices too. It is left to your imagination to what extent this smart capability can be extended.

Medical and emergency care is another area where the smart 'things' play a very useful and life saving role. For instance, a connected car can call emergency services faster than a mobile phone. Again, with the help of embedded or worn smart gadgets, the hospital can get to know the patient history as the patient gets into the hospital and can get ready for the emergency services thereby saving precious time, which can be life saving. Check out this interesting video. Check out this video that IBM has made out describing how it is growing fast and could invade into the everyday life of human beings.

Extending this further to the daily routines of a business executive, the possibilities are endless and here are some that are close to reality, if not already real:

  • Your smartphone once it hears a hint about a meeting in a conversation, it will in the background look up your calendar and will pass on the busy / free information. If the executive uses a glass, then he would be seeing the schedule as he talks and thus facilitates the scheduling of the meetings.
  • The smart alarms will be smart enough to consider information as to what time did go for sleep, the schedule (both personal and official) for the following day and thus will intelligently decide the wake up time in the morning and triggers the alarm.
  • Depending on the traffic conditions, your car will intelligently suggest alternate routes to reach the office or such other scheduled meeting venue and if needed, automatically inform the meeting organizers about the possible delay or may seek rescheduling of the meeting.
  • As you drive back home, you just remember that you need to pickup some drugs from a drugstore. Your smart car will already know this and will identify a store that stocks the drugs that you need and that is on the route or closer to the route that you drive. It can even place the order with the store and let the store keep your items ready for delivery and you just need to pick up enroute.
  • Needless to say, your car will be smart enough to perform a health diagnostics of itself and will decide on a best date for its own garage visit so that your schedules are not impacted.
  • These smart things will know about your presence and which device is in touch with you to send out alerts. For example, if you are at home watching TV, you may see your TV showing alerts from your washing machine and similarly, when you are at work, your smartphone would be used to show these notifications.
  • Here are some more ways the 'Internet of Things' can impact your daily life.

Coming back to the household, you are watching your favorite action movie with surround sound and you did not changed your smartphone from a silent mode back to a ringing profile. You don't have to worry, your smartphone knows what you are upto and over a period would have learnt by itself, as to which of the calls you would want to answer at this situation and accordingly either rejects the call by answering the caller appropriately. If it is an important call that you would n't want to miss, it knows it already and will tone down the TV audio volume and thus draws your attention to the call and you don't have to reach out to your phone, your TV will take over the call from your smartphone. To extend this further, depending on the profiles of other members at the house, which the house already knows through its sensors and networks, your smart phone will decide whether to route the call on to the TV or not.

We can now visualize the possibilities and it is endless. The smart things will have built in learning capability and will keep learning from its master's behavior to perfect its services. This trend will lead us to a situation where the things might by themselves or under the influence of hackers attempt to take over human beings as portrayed in some of the recent science fiction movies. On top of this, hackers will also be leveraging these smart abilities to hack into these connected networks and could do whatever they have been doing with the connected systems now.

Here is how the hackers can intrude into your digital lifestyle:

  • We have already seen reports of a smart refrigerators sending out spam emails.
  • By hacking into your house network, hackers may get to know how many members are home or if there are none inside the home, which information will be useful for them to plan their burglary attempts, etc.
  • Your TV may refuse to play your favorite channel and will rather play content that the hackers prefer you to watch.
  • Your car may drive to a place that is different than where you wanted to visit. On the same lines, hackers can execute traffic diversions and cause traffic jams as portrayed in the movie Die Hard 4
  • All your orders for home supplies may be hacked and deliveries may happen elsewhere, while you would have paid for it. And of course, your house network will still acknowledge for having received the deliveries, while it is not actually.
  • The impact of hacking into the emergency service network could be huge and life threatening.
  • Your smartphone can be hacked to refuse critical business calls and thus causing revenue impact to your organization.

IDC anticipates that more than 200 billion connected devices will be in use by 2021, with more than 30 billion being autonomous devices. Cisco’s Internet Business Solutions Group (IBSG) predicts some 25 billion devices will be connected by 2015, and 50 billion by 2020. How will having lots of things connected change everything? Find the answer in the infographic. With all this, Internet of Things is coming and will be here to stay soon. Whether we, the humans are ready to take on this evolution remains to be seen.

Friday, January 17, 2014

REST Services - Security Best Practices

As most of us know, REST (Representational State Transfer) is an architectural principle and is gaining increasing reckoning amongst architects for the inherent advantages that it offers. REST does recommend the use of standards such as HTTP, URI, XML and JSON and formats such as GIF, MPEG, etc. Twitter, iPhone apps, Google Maps, and Amazon Web Services (AWS) demonstrate heavy use of REST services. The basic tenets of REST is statelessness and is all about utilizing the HTTP commands GET, PUT, POST, DELETE as outlined in the HTTP RFC.

Obviously, Architects see some key advantages with the REST services, and so REST implementation becomes an important consideration in responsive, service oriented applications. Let us have a recap of some of the key advantages as below:

  • The resources can be uniquely identified using URI and facilitates interconnection of these resources.
  • Resource manipulation is accomplished using the standard HTTP verbs, viz GET, PUT, POST, DELETE
  • The data payload is minimal and thus offers the capacity and efficiency benefits.
  • Easier implementation offers shorter learning curve, maintainability and time to market advantage.
  • Increased support from the JavaScript offers the client side computing benefits and thus improve the responsiveness.

Needless to mention, there are certain disadvantages too with the REST Services and here are some:

  • Prone for same level of threats and vulnerabilities as the HTTP and Web
  • Improper use of the HTTP commands could lead to problems and complicate the design.
  • Relies on very few standards.

Some of the security challenges with REST Service implementations are outlined below:

Chained trust is challenging for web service implementations and the situation is no different with REST. Unlike in case of SOAP, standards like WS-Security, SAML cannot be used in case of REST services. This call for relying on a combination security implementations which are specific to different implementations. Here are some such security implementations, which in combination may help overcome this concern:

  • Use Digital Certificates for authenticating the server and the user. 
  • Pass the user's identity from server to server and necessary validation and authorization at the data source.

Cross site request forgery (CSRF) attacks, which attempt to force an authenticated user to execute functionality without their knowledge. Being stateless, REST is inherently vulnerable to CSRF attacks. The work arounds for this security concern are:

  • Use of a custom header - Setting a custom header such as X-XSRF header is known to be a solution for this concern. The endpoints receiving the REST service requests would reject or drop such requests if the intended custom header is not part of the request. It is to be noted that this is not a fool proof technique, but at the same time offers some bit of protection than nothing.
  • Another approach is to deviate from the basic tenets of REST and maintaining state, in which case a token can be generated and maintained to authenticate the requests, so that requests carrying an invalid or no tokens can be dropped or rejected.

While the above are just an example of the concerns, REST services being based on HTTP specifications is prone to all the security vulnerabilities as that of a web application. Thus REST implementation while it is the easier choice due to its advantages listed above, should also be implemented with due considerations to some or all of the following security best practices:
  • All data must be sent over HTTPS and this will ensure securing of the data in transit.
  • Use of PKI or HTTP Digest Authentication for authentication.
  • Always perform authorization for every request upon receipt. 
  • Scan HTTP headers, query strings and POST data and look for reasons to reject a request.
  • Don't combine multiple resources with a single URI, always uniquely identify each resource, so that the security implementation can be simple and relevant to the specific resource.
  • Always perform validation of the JSON / XML data.
  • Ensure appropriate use of the HTTP commands for managing the resources and enable selective restriction of these commands.
  • Design URIs to be persistent. If a URI needs to change, honor the old URI and issue a redirect to the client.
  • Caching should generally be avoided where possible and sensitive data should never be cached.
  • When developing REST solutions, care needs to be taken not to create URIs that contain sensitive information. 
  • The requester should be authenticated and authorized prior to completing an access control decision. 
  • All access control decisions shall be logged. 
  • Code as if protecting the application.
Here are certain useful readings on securing the REST services:

Friday, January 3, 2014

Human Technology Interfaces - What The Future Has In Store

All of us would have been reading something or other on technology advancements that work with human body. For example, we have Health IT companies experimenting embedding memory chips under the skin of human body to store the individual's health records, so that when you walk into clinic, the clinic will get to know about your health history and would be able to suggest the further course and all this can happen with a non human front office assistant. Similarly, with the advancement in the brain interfaces and in the lines of the movie "Minority Report", the Police and investigation authorities may get on to crime prevention mode, i.e. they will get to know the moment you think of committing a crime and technologies like virtual presence, surrogates etc, this might be accomplished without any human casualties.

There are more such advancements and in this blog, my attempt is to present few scenarios that could be a possibility in the near future and the effects that this can have on various attributes of mankind.

Glass: With further advancement Google Glass kind of gadgets could be miniaturized and could be worn like contact lenses. These lenses would be able to interface with things around you. For instance, the refrigerator will greet you with the current temperature and you will know what is inside various containers, by looking at it (without opening) and will also indicate its details like quantity, how many days it is stored, etc. Again with added gamification, one will enjoy performing various tasks on the kitchen table. These things while assisting you on performing these tasks like chopping vegetables, it will also keep a score of how you perform, so that you enjoy doing these tasks. These gadgets coupled with access to public and private data stores help you in decision making, which can enhance one's Personal Intelligence (PI). Check out this video to have a glimpse of what I have tried to narrate here.

Brain Interface: Gadgets like Brain Link are already in the market, which coupled with related applications on smartphones gives beneficial gaming experience like attention training, meditation, neuro-social gaming, research and knowledge about brain. Most of us would have watched the movies 'Surrogates' wherein humans would stay indoors while their surrogates would go out to work and 'Minority Report' where the police and justice department would get alerts the moment some one think of committing a crime. Quite many science fiction imaginations in the past have become reality now. Recent research accomplishments evidences that even the fiction exhibited in the above movies might become a reality some day that is not very far away. For instance, researchers at Harvard have demonstrated a non invasive brain-to-brain interface wherein humans could control animals with their thoughts alone.

Given that continued advancements on the brain interface will further this accomplishments and coupled with various other inventions, the next generation of man kind may experience the following:

  • Personal Intelligence can be augmented by wearing or embedding devices and / or gadgets.
  • Though humans can have private thoughts, these will be subject to review or audit by government agencies and no wonder securing your thoughts would become absolutely essential.
  • Shopping will be virtual and all products can be virtually felt / experienced sitting at home and then can be ordered.
  • All 'things' would have interfaces to interact with human.
  • Blink or double blinks can be programmed to perform certain actions like taking a snapshot of what you have been seeing at that moment, etc.
  • Artificial or Virtual dreams will become reality and one can have choice of dreams and choice of character. Extending this, one would be able to watch a favorite movie as they sleep and cast themselves as a character in the movie.
  • With Body Area Networking and embedded nano chips across various critical body parts, self diagnosis with alerts might be a possibility.
  • Human disabilities can be worked around using robotic body parts and brain interface technology.
  • The hacking community would sharpen their skills and would explore opportunities of hacking human thoughts and human memory, which could be the biggest security and privacy threat to combat for the security experts.

Here are some more videos demonstrating the innovations that are taking place around human technology interfaces:

  • Ford takes SYNC to the next level through the use of configurable controls and the use of an electronic personal assistant, or "avatar," named Eva
  • Someday well be living be living on and under the oceans. This idea isnt farfetched and if it comes true then heres the answer to a new type of underwater transportation system.
  • Using a brain-computer interface technology pioneered by University of Minnesota biomedical engineering professor Bin He, several young people have learned to use their thoughts to steer a flying robot around a gym, making it turn, rise, dip, and even sail through a ring.
  • Cathy Hutchinson has been unable to move her own arms or legs for 15 years. But using the most advanced brain-machine interface ever developed, she can steer a robotic arm towards a bottle, pick it up, and drink her morning coffee.
  • At Barcelona University, scientists are working on a European Research Project to link a human brain to a robot using skin electrodes and video goggles so that the user feels they are actually in the android body wherever it is in the world.