2016 Winners

== Intro

Rebecca Herold sums up perfectly what a misnomer «IoT» actually is:

For the past several years, a lot of research, writing and speaking has been focused on the Internet of Things (IoT) and the smart devices that are used within it. The technology is evolving faster than most can keep up with all the reports that are published. It is also a misnomer to keep referencing it as the IoT when, in progressively more instances, the Internet is not even involved. It is becoming more like the Network of All Things (NoAT), with more capabilities that are emerging for smart devices to communicate directly with each other in ways that go beyond the long-standing peer-to-peer (P2P) communications. And as these new technologies emerge, many are not being designed under any existing legal requirement to include security and privacy controls. For example, wearable fitness devices, home energy controllers, driverless and Internet-connected cars, smart watches, and many others seem to be designed with an ultimate goal of being newsworthy for how much data they can collect, analyze and share, without the auspices of virtually any regulatory authority to establish a minimum set of security and privacy controllers[emphasis added]. Establishing security and privacy requirements for these growing numbers of personal smart devices is needed yesterday.

What is more damaging and dangerous to our society: drone-programs, OR women health-trackers disguised as fashion-accessoires, marketed through lifestyle magazines (but essentially collecting medical records)? An IoT engineers position on what and who needs protection depends on where their money is (or what puts your kids through colleague).

Before we commence this ranty journey down IoT swamp-land, check out these talks and papers. They form the corpus for the 2016 nomination. My hope is that more of us critically question the ethics of our profession. If your paper or talk is listed, then I’d like to thank you personally for shining a light at the IoT’s rotten underbelly.

== The Winner 2016

Our immune system becomes more resilient and even gains from small shocks and stresses in regular doses. How resilient is our Internet today? In the 90ies vendors got caught with their pants down for shipping routers/devices with insecure and publicly known default credentials. In 2016 the same broken IT security and privacy principles from the 80ies are applied to IoT. The result: Mirai which does essentially the same thing as non IoT malware but only on a larger and faster scale. Wouldn’t it be hypocritical to point the finger at IoT vendors and let our idiotic ideas from the past 2 decades (such as centralized data orchestration & SaaS - all the way to Internet.org) go unrecognized?

The IoT is the Internets technical debt collector. For those DevOps’ies out there: Mirai is the IoT version of Netflix’s Chaos Monkey currently running «in production» across the Internet. Maybe (and only from a risk-management pov) the Internet engineering society ought to applaude the Mirai botnet author for preventing us from flying too close to the sun? I’m sure NNTaleb would agree.

After all these years of security engineering, we still lack an accountable trust provider to verify the reliable identity of another party. Digital trust managed by corporations like Symantec, Comodo or DigiNotar (any company really) never worked in IT. Believing that we can reuse current digital trust anchors within IoT/M2M is typical engineer-think. Would you accept in the real physical world birth certificates or identity certificates issued by the local deli? I doubt so. Yet we try to get away with the same in our digital lives and nobody seems to question it.

We should also look at the world of tech standardization when vendor bashing. Despite all efforts of wanting to appear «open and transparent», they do little to include the public maker communities (and real innovators who are all living over at git(hub|lab)). It should be them who shape the general direction of where technology goes not what an uninformed consumer votes for with their wallets. Standardization and Technology in general is biased. Cool tech like p2p is living on the fringes since the 90ies, and you can forget «P2PoLTE» for the next 10 years simply because your mobile operator won’t know what to do with your OTT-routing. Ideas that embrace decentralization and the end to data-driven pilgrimage are extremely dangerous to the established industry that owns standards. Maybe what we need is «yet anohter standards body» that gives the maker community as much voice and attention as vendors get at W3, ETSI & ITU-T? Asking standards to predict possible future misuse of a technology is totally impossible when wanting to make the standard as popular as possible (and hence a «standard»).

The true winner of 2016 can therefore only be: our existing Internet Infrastructure with all it’s insecure ancient protocols which we’re too scared to move away from. The Internet, now at a proud age of 39, … we hope it soon snaps out of this midlife crises and realizes it has to change before the house, partner, car, kids, and even the dog has gone!