A Letter from the Ghost of Charles Darwin
From: <Charles Darwin> charles.darwin[at]geolsoc.org.uk Subject: Re: cost & effort estimation (IoT Security) Date: Tue, 27 Dec 2016 22:09:43 +0100 To: undisclosed-recipients:;
Dear friends, scientists & scholars,
your recent proposals on how to «fix» IoT & Cyber Security made me turn in my grave. Have you read my On Origin of Species? Probably not, because I wrote it such a long time ago when the pen was still mightier than Emacs. I am still getting to grips with latest publishing standards and using social media in general. I have just learned how to use «Twotter» and am excited that all my submissions so far were accepted and published by the good people at Twotter (unlike my earlier work). Because I know how much you dislike reading long texts like mine, here is a
TL;DR that fits into a tweet). Feel free to meme-quote me for fake Internet brownie points:
It is not the strongest of the species that survive, nor the most intelligent, but the one most responsive to change!— Cyber Darwin (@IoTDarwinAward) December 27, 2016
Here once more, but with better context to engineering:
"As the complexity of an organism or system increases, its speed, ability to change and resilience diminish."— Cyber Darwin (@IoTDarwinAward) December 27, 2016
-- Cyber SunTzu 101
The difference between a «system» and an «organism» is that systems are deterministic and predictive (this is oversimplified but at least they should be in theory). Every possible scenario of how it behaves can be modeled, tested and verified. But systems are unable to alter their own state in order to improve their odds. Organisms do. A «self-healing system», or one that is aware of its environment, or one able to improve its pre-programmed decision making, is therefore more than a mere system. At least from a verification & risk-management aspect we can no longer treat it as such.
Obviously just because your code has never been tested, and contains more bugs than Grace Hoppers wiring-cabinet, doesn’t automatically make it an organism … It’s just poor code and you should feel bad :-)
But thinking about «organisms» instead of systems, may help us better understand the Sisyphean (and impossible) nature of what we’re up against when fixing IoT. Think in terms of organisms and you will suddenly see through the Security industry carefully designed lies to make you a returning customer: «Just use a/b/c and things will be secure».
All organisms make mistakes. First making, then recognizing them, is key in avoiding the same in future. Frequently recurring mistakes in small doses are a valuable by-product from an organisms quest to improve its future accuracy.
How far this search for truth may escalate when the intelligent mind gets bored is shown by my good old friend Sir Isaac Newton, who happens to live just a couple of graves up from mine, here at the Westminster Abbey. He doesn’t like me talking about it but you can read it everywhere online. So it’s not actually a secret. Newton once inserted a bodkin needle (the sort used for sewing leather) into his eye socket and rubbed it around, just to see how far he would get:
I tooke a bodkine gh & put it betwixt my eye & [the] bone as neare to [the] backside of my eye as I could: & pressing my eye [with the] end of it (soe as to make [the] curvature a, bcdef in my eye) there appeared severall white darke & coloured circles r, s, t, &c. Which circles were plainest when I continued to rub my eye [with the] point of [the] bodkine, but if I held my eye & [the] bodkin still, though I continued to presse my eye [with] it yet [the] circles would grow faint & often disappeare untill I removed [them] by moving my eye or [the] bodkin.
Our «bodkin needle» is IoT. Human rights, personal privacy, free speech are the eyeball. Existing software based trust models do not provide enough assurance to make the kind of safety critical decisions usually common in the world of IoT. Serious risk management requires that at least some entity somewhere has «Skin in the Game»:
Establishing context can be difficult with umbrella terms like «Security» or «IoT». Forget traditional engineering books, considering that it’s not just an engineering problem. Thinkers like Pastor Manul Laphroaig, Nassim N. Taleb, or Internet pioneers like Dan Greer can teach you everything about the robustness, resilience of systems and organisms.
Maybe in future you could ask these guys first before raising the dead?
Yours with much respect
Ch. «Cyber» Darwin
PS: be wary of any prescribed cure. Especially if your doctor has 3 mortgages and an extreme case of Dunning–Kruger’s.
-- motto: POC||GTFO email: charles.darwin[at]geolsoc.org.uk twitter: @IoTDarwinAward