Internet of Hacks? Minimal prevention steps

Friday 21st Oct 2016 has been billed as the first large scale cybersecurity incident from the IoT world. The widely reported attacks involved inserting malware into devices to turn them into a network of controllable bots that was directed to attack websites. One of the principal targets was Dyn the DNS provider to Twitter, Reddit, GitHub, Paypal, Spotify, Heroku, SoundCloud, Crunchbase, Netflix, Amazon, and others. More than 10 million devices were alleged to be hacked and almost all (96%) of them were IoT devices, according to Level 3 Threat Research Labs.

internet-of-hacks-minimal-prevention-steps

These devices are typically headless (no screen) but are full-fledged (linux) computers . The IoT devices typically are more constrained with microcontrollers instead of CPU and real time micro OS like tinyOS, Contiki, mbed etc. However, there is no question that too will come. The source code of the Mirai malware has been open sourced fueling  an arms race between attackers and defenders.

There are important public policy and regulatory aspects in the  repeated vulnerability of the Internet but here we provide some advice on minimal steps we need to take to reduce basic vulnerability.

Network Operators (ISP, Cellular)

Network operators may end up being the spider at the centre of the web and play a central role in securing the IoT.

Cellular operators have traditionally not been very forthcoming on security and  have long grappled with vulnerabilities in Signalling System 7 (SS7), which allows all operators to talk to each other. SS7 – the central-nervous system of the worldwide mobile network – connects our phones and  allows us to move around while using them. More people use SS7 than the internet. This 1975 vintage system is full of vulnerabilities. Google “SS7 hacks” to see how WhatsApp or Telegram can be tapped. In IoT, we are dealing not just with information and money but life and death and the operators need to up their game quickly and by quantum jumps.

In the cat and mouse game being played out in cyberspace, the classical intrusion detection mechanisms are being bypassed. Attackers launch a few probes and if they fail, go away and attack some other device and come back to this device a bit later. Unless we correlate activity across large slices of time it becomes difficult to detect this behaviour. Attackers are simulating humans! The network operator can however detect sustained attempts by a bot across multiple sites. Operators should be much more proactive in shutting such bots down and blacklisting concerned ISPs. A proactive action to protect sensitive end-user installations can be a great value added service.

Smart Home User

1. Change default password in your home router. Ensure the trapdoor used by your service provider (ISP) and device manufacturer (Router maker) are locked down and not using defaults or easily guessed passwords. Since many routers (based on Linux variants) are already infected, you may even consider a factory reset or changing to a more secure version.

2. Review devices directly connected to Internet, i.e. those that have an IP address and are directly addressable. DLNA, uPnP are suspect. Disconnect where possible. Check with your supplier if an on-premise Hub can be a gateway and hide all devices from the Internet. This is the recommended architecture. See recommendations for device manufacturers below.

3. Arrange to shut down all incoming internet connections. At the minimum review and remove telnet, ssh etc. May need technical configuration at your router. 

SmartFactory and SmartBuilding

4. Review recommendations 1-3 for SmartHome. Do a root and branch review of all routers. Upgrade and use trusted computing and hardware root of trust in securing WiFi and internet access points.

5. Review logging capability of the IoT network. IoT devices use non-Internet protocols like Bluetooth and IEEE 802.15.4-based ZigBee, Wireless HART, ISA 100.11a etc. For an in-depth look at IoT protocols, go here. Security information and event management (SIEMtools are a bit rudimentary for these IoT networks. Consider open-source tools like Foren6 as a stop gap and work with your vendors to encourage development of proper tools. This is a good space for new products. (Entrepreneurs, behind every crisis is an opportunity!)

6. Segment the IoT network from the general internet connected one. Place the segmented IoT part under more aggressive and conservative controls.

7. Ask your IoT providers about security. An architecture which hides IoT devices behind a segmented network and funnels all incoming connections through a managed choke-point is a minimal starting point. It is very difficult and probably impossible to secure all IoT devices. More effort should go to managing the network and controls need to extend beyond firewall rules  to commands and API calls. Encrypted outbound traffic needs extra care.

Device Manufacturers

8. Consider an architecture which provides security.  See https://t.co/mLQPh81a1l  for an intro to IoT Stack

9. Most important is to hide IoT devices from the internet behind a IoT gateway. Many start-ups especially for the Smarthome build or roll out custom gateways.  If you are connecting IoT device through BLE to smartphones or newer Routers, review and block incoming Internet connection.

10.  Security has not been a major consumer concern. Our research indicates fatigue is setting in. How to configure and how to trust what works, when even Yahoo, LinkedIn and JP Morgan etc are hacked? For IoT, an incident movement is starting. See IamtheCavalry.org. Opportunity for brand positioning and innovation? How do you sell a car on safety? Some random ideas:

Consider a sticker on each device which provides auto-configuration credentials in a QR code for the segmented (Home) network. User scans using a smartphone and it configures the App or home router, IoT gateway. Consider a configuration-less PKI like DeviceAuthority.

Consider super-user activity (like switching over-the-air upgrade off), which changes critical functioning of device and builds defence like 4 eyes (two operators have to approve) or 2 factor authentication ( OTP).

Consider logging and forensics at the gateway.

11 Security in Design to Deployment: Consider what level of concern you need to address for your brand and engage skilled consultants to audit and review the threats and controls and the architecture you have adopted. Avoid temptation to roll your own crypto algorithms or update and patch delivery method. These are complex and non trivial. Open source middleware and IoT platforms are coming up (Kaa project, Iotivity , platfromio etc) and explore them. It may even be worthwhile to use a commercial platform.

Guest post by Arvind Tiwary & Vishwas Lakhundi.

Arvind Tiwary is chair TiE IoT Forum and member Taskforce on IoT security set up by CISO platform and IoT Forum.

Vishwas Lakkundi is an IoT Specialist & Consultant and a member of Taskforce on IoT security set up by CISO platform and IoT Forum.

Views expressed here  are personal.

Service Oriented Startups

Last week a very interesting free e-book called “Software Paradox” was trending on Hacker News. The premise of the Service Oriented Startupsbook is, that the value of software as a product is diminishing, but the value of software as an enableris rising. Pure play software companies such as Microsoft and Oracle are fading in comparison to rising stars such as Google, Facebook, Apple, Amazon and newer ones like Uber, Dropbox, GitHub, AirBnB and others. None of the new age companies sell “software”. They all sell a service (or devices, in case of Apple).

The book goes on to argue that companies even prefer giving away their software innovations as open source so that they can get the respect of the developer community that they desperately want to attract. Apple’s operating systems are based on an open source flavour of Unix, GitHub has built a social layer on git, a version control system created by Linus Torvalds and Facebook is a leader in new age open source web development tools. So there is a clear trend of companies collaborating on an infrastructure and tool level and yet being able to create a lot of value in the services they provide.

They book suggests what pure-play software product companies should do in order to survive this next wave. There are a lot of great options described which range from moving to a subscription model to becoming a full-stack startup (doing very deep vertical integration in the markets they operate). In the context of pure play software product companies, where do we in India stand?

A defining moment in the first episode of the new YouTube drama TVF Pitchers, an Indian take on the popular and brilliant series from HBO, “Silicon Valley”, is when the protagonist is about to dump his entrepreneurial dream and continue with an overseas posting. On his way to the airport, he sees large advertisements of Housing.com and Snapdeal and decides that his calling is a startup. On a side note, it is interesting to observe that the innovation described in TVF Pitchers is a “B-plan”, whereas the innovation on which HBO Silicon Valley is based, is a hypothetical “algorithm”.

My conclusion is that India has already leapfrogged to “Service-Oriented Startups”. The number of new startups and deals in the e-commerce and classified marketplaces domains greatly out numbers startups that have a technological innovation at the heart of the business. The aspiration of the entrepreneur who starts up today is to build the next Flipkart, not the next Google.

This is something we all will have to learn to accept. Like so many modern innovations we love using today are ones we did not invent, software is something we will rather use. Innovating on technology requires an intellectual rigour and ecosystem support that will probably never reach a critical mass in India. But amidst all this gloom, I still have hope that at least a few of the 3 million software developers out there will prove me wrong.

How to hire like a hacker

In my past several years of running Themeefy, I have gone through many hiring cycles. Over time I have learnt that there is a particular strategy or set of things, that work really well — especially if you are an early to secondary stage start-up, and want to attract good talent, without necessarily paying a lot.

  1. Be clear on who you want — Do you want a CSS / HTML guy ? Do you want a server-side developer ? Or do you want someone who can do pretty much everything little bit? It’s important to clearly outline this in your mind, because people come with different skill sets and everyone has a different bent of mind. Server-side programmers, even if they can write CSS very well, should ideally not be used for that role — they might miss out Ux aspects that are crucial. Similarly, front-end developers might be capable of writing server-side code, but might miss scalability or other issues. Of course there are exceptions to this.

    Also, if you know the exact skill set you want, or the exact role this person will play in your team, you will look at the right places to hire. For example, while hiring UI people, you should be browsing Dribble, but while hiring server-side, GitHub is a much better place.

  2. Write a cool job advert. Be creative — Often, highlighting the non-monetary benefits of joining your start-up, can attract top talent. For example, in a recent hiring cycle, I started my job advert by saying “work for 5 hours a day and do cool stuff for the rest”. I didn’t lie. I just figured that days of high pressure work, nearing a release date, are often balanced out by relatively low pressure days when we are in design phase or doing beta testing etc. It all averages out to 5 or 6 hours of work a day, which can be a great perk for talented people. You also stand a chance of hiring folks who like to spend time in developing their own skills, ultimately benefitting your startup.
  3. Give measurable tests — Hiring is a risky business with a high probability of a wrong decision. This is because it has so many aspects and in a start-up we are always pressed for time and resources. Often, multiple rounds of interviews or tests are not possible, candidates are remote or are too busy in their existing jobs. The best way to cut through this is to send a set of small projects — for example a single page UI to a client-side developer, or a small DB problem to a server-side person. A set of goal oriented tests often makes it easy to see whether the person has the ability to achieve a task without much guidance and in a small time frame — a crucial skill for a startup.
  4. Build a pipeline — The fastest way to get people on board, is to have a pipeline of resumes / people that you interviewed in earlier cycles and have had a conversation with. People acquire more skills over time. . They might have been a “near-fit” back then and you found a better person. But six months or a year later, they might be the right person.
  5. Be open — Don’t have strict notions of work. Be open to work from home, remote work, flexi hours. Be cognizant of the fact that you are hiring people, not coding machines. Talent can come in unexpected packages and as long as you feel a person might be able to do the job, it doesn’t matter how they do it.
  6. Look for attitude — Because when the ship hits rough seas, it’s the attitude that matters more than the skill. No matter how good resumes look, or how amazing a GitHub profile is, it’s the gut feel you get when you see the test results of a person, or interact with the person on email or phone to which you should pay attention.
  7. Be a “closer” — When you are taking time to hire, or decide not to hire someone, make sure you send out an email to the person — especially if you have had several rounds of interviews or discussions with them. It is the right thing to do, and it makes sure your pipeline is open for the future. And as an entrepreneur it’s important that you work towards building a healthy industry culture.
  8. Rules are meant to be broken — There is no one-size-fits-all in start-ups. And definitely not in hiring. If you have rules like salary structures, leave policies, timings — junk them. They are barriers to hiring. Employees get confused and the focus becomes more on what am I getting, rather than on what is the culture I am getting into. Emphasize just one thing during hiring — that it’s a goal-oriented, trust-based and merit-based place. That’s all that matters and that’s how your start-up should be. Customise your offers based on your candidate and your current ground-reality.

Well, that’s it — my algorithm for hiring. You are free to fork and tweak this to your needs. Happy hiring ☺

HackerEarth: an online technical sourcing and assessment solution – Sachin Gupta, Co-founder. #PNHangout.

HackerEarth is a Bangalore based start-up which helps companies hire programmers. It was started in 2012 by Sachin Gupta and Vivek Prakash, both of whom are alumni of IIT Roorkee. HackerEarth provides solutions for the technical recruitment space – one is an online assessment tool which is used by organizations to assess both internal and external candidates. Another solution acts as an engagement platform for companies when sourcing employees. With respect to internal candidates, companies typically use HackerEarth to conduct online challenges to assess their employees’ abilities. On the other hand, when we consider recruitment, there are primarily three stages during recruitment – sourcing where you source candidates, assessment which involves psychometric assessment, technical assessments, etc. and selection which is obviously where the candidate is selected. Our focus is primarily on stage one and two and our approach to these two stages differs from that of a typical recruitment agency. Our approach is to conduct an online hiring challenge. It is like an open test that we conduct on our community of developers. People come and participate in these challenges and based on their performance, we shortlist candidates. Since we began we have conducted numerous challenges, so we now have a large user base whose skill sets we’re aware of.

The test, or the challenge, as we call it, gives us a good understanding of a candidate’s programming proficiency. If they have performed well in the challenge, we know the candidate is good. We then aggregate their coding activities from online sources like StackOverflow, GitHub, etc, combine all this data to understand their core skills/strengths and we match it to a company’s requirements.

When we began HackerEarth, we were keen on working with early stage start-ups but we quickly realized that even if we give them good candidates, the number of hires wouldn’t be very high. So we decided instead to focus only on series A, series B funded companies. At that time InMobi, was a marquee client for us. Later on, Practo, FreshDesk, came onboard and we were able to fulfill their hiring needs too. We found great success in working with growth stage startups. Once we’d established some presence in the market we realized that the SaaS assessment tool could be sold to larger corporations too. Companies like Symantec and Citrix became our customers because our tool because of the time it saved them in assessments. Also, the product was much more stable and much more mature by then.

On the non-hiring front, we conduct exciting programming challenges which engages the developer community. We have a big following now. In addition, all the users on our platform are high on quality, high on skill sets and this in turn made sourcing from HackerEarth very effective.

Obstacles overcome:

The three main challenges that we have faced since we started-up are:

  1. Selection/Identification: As our company has expanded over the last 20 months, the most recurrent challenge that we have encountered is identifying our focus and priorities at different stages. If you can do this, you can actually build a very good company. When it was just the two of us, our challenge was to identify a MVP. We had interacted with a lot of people but there has to be a point where you need to sit down and start working on a product and in spite of this you will always feel that you don’t have enough information. You need to rely on your gut instinct and know why you entered that market or why you are building your product. Combine this with the initial user survey that you did to come up with an MVP and then proceed.
  2. Sales: Another big challenge for us was sales as both of us co-founders have a technical background and we had very little connection to the industry and even lesser knowledge of how to sell. In addition to the MVP we also needed to identify who are our target customers were because in many instances, potential customers expressed interest when we discussed our idea with them but their responses when we spoke to them after having built our product was very different. In our case especially, since we are a B2B solution in some sense, it was very important for us to identify our customer set as we were going after the entire technical hiring gamut. So we had to be extremely choosy. Now that HackerEarth has grown, we have a strong client base, revenue has been coming in and people are becoming more aware of HackerEarth. Building a good sales team was very important for us.
  3. Scaling: After a few successes, we realized that we needed to expand our customer base and accelerate in that direction. User acquisition is one of the most pressing things for us because we are essentially a marketplace as we have developers on one front and recruiters on the other side. It is similar to a chicken and egg problem. If you don’t have developers, you don’t have recruiters and if you don’t have recruiters you don’t have developers, so we have decided to focus more on getting developers to our platform and this is currently a challenge that my team and I are tackling.

Metrics is a must

Being a tech intensive company, the first thing that I would absolutely look for in a Product Manager is how driven the person is with metrics – you should be able to define what numbers you should be tracking, what are the time lines, you should be able to understand the sales figures, etc. By using tools like google analytics, he or she should be able to use a CRM to track sales, they should be able to use analytics to see how users are performing, they should be able to work with mix-panel and other tools to understand how users are interacting with the product and then be on top of these numbers because personally I believe product management is about tracking these numbers and making actionable decisions based on them.

HackerearthSecond is someone with actual previous hands-on experience with technology. If they still work with technology that is even better because sometimes, say you want to build a hack for marketing or you want to implement a small feature that your customer requested which typically would take say half an hour of work and you don’t want to disturb your team, you can go ahead and implement it yourself. So this is hands on technical skills, if not current, then at least experience with working with technology in the past.

Third is having domain knowledge. So somebody who has worked with programmers, somebody who can understand what programmers want and also understands recruiting because at the end of the day, the problem that we are solving is recruiting. We are helping companies hire programmers better. So if I can’t understand the pain point of a recruiter then I would not be able to build a product for them.

In addition, I believe that some sensitivity towards design is required. HackerEarth is a very design sensitive company. So the product manager also should understand what good design is. I don’t really expect them to create good designs but they should be able to understand what is good, what is bad and then work with the designer. One of the challenges of being a PM is actually working with the designer because designers tend to form a certain view point about certain things, so they are very passionate about what they see and sometimes what they see or what they feel or what they think or believe in may not actually translate to what the users want or what the business wants.

At the end of the day, being a product manager doesn’t mean you know everything. You could be wrong but to be a good product manager you need to be someone who is really passionate about solving a particular problem.

#PNHANGOUT is an ongoing series where we talk to Product Managers from various companies to understand what drives them, the products they work on and the role they play in defining the products success.

If you have any feedback or questions that you would like answered in this series feel free to email me at appy(dot)sg@gmail(dot)com. 

 

OpenSource: The Most Underused Strategy by Indian Software Product Companies

Open Source has been quietly making its mark. Kickstarter just completed a billion dollars in crowdfunding. A lot of the work funded via Kickstarter is licensed for public use. Because the initial capital is pitched in by lots of people, the creators have a lot of incentive to give it back to the people.

The Do-It-Yourself community in both software and hardware is also on the rise. This is an early adopter and very influential community. The promise of free software promoted by Richard Stallman is no longer a promise. A lot of the backend tools you are using to build your software product are already Open Source. So why not take the next step and make your product Open Source too.

Adapt or Become Extinct

Five years from now, the product you are building will be replaced by an open source alternative.

Ok, maybe ten years from now. But it is going to happen. In the long run, as more and more libraries and mature frameworks become available, the barrier to entry to make a new open source product will reduce further. Deployment will become easier and the ecosystem will provide easy to install platforms. Right now, there is a dearth of high quality, usable open source tools, but it just takes one motivated developer to change that.

Unfortunately in India, we do not have too many examples of Open Source software products. We at ERPNext, open sourced our product a few years back and now we are seeing the benefits. We spend very little time worrying about surface level things such as Customer Acquisition Costs and A/B Testing, because our users and customers come looking for us. Sometimes, there is a cherry too. A German company just wired us $5000 because they wanted us to listen to them when we decide the product roadmap.

Getting Started

So if you are considering going the Open Source way, here are some pointers:

1. Believe in Open Source: There are no half measures here. There are tons of projects on sourceforge and GitHub that are dead because there is no documentation, or are not deployable or not updated. If you are going Open Source, go the whole way.

Another annoying strategy some projects follow is that they make a part of the product open and some parts paid. This is something like the freemium model. Avoid this, you will never win true followers this way.

2. Documentation: Prepare good documentation for users and developers. I had read an interesting comment by John Resig (the creator of JQuery) on why JQuery became the standard leaving all others aside. He had said that JQuery was simply the best documented project. As a developer just remember the time when you came across a badly document API or library. This is very hard and is a huge investment, but its a very important step for going ahead.

3. Make it Deployable: Give your users a good development environment and a production environment. Unless your users can deploy your solution in production, there is no chance of you getting feedback, or issues or contributions. And when you make it deployable also make the upgrade scripts public, so people can easily upgrade your software. Ever really noticed when Chrome or Firefox upgrades? Make it as easy as possible for your user.

When you do all of this, you will automatically start following a lot of best practices, because suddenly not only are your users your customers but also developers.

Cloud and Open Source

As virtualization and cloud gets more popular, Open Source will be the direct beneficiary. Already platforms like Bitnami specialize in creating free deployable VMs for Amazon and DigitalOcean. Soon, it will be easy for anyone to start using Open Source products on the cloud.

We at ERPNext give away VMs for free, but they can also become a source of revenue.

Business Models

The most obvious doubt you will have when you think about Open Sourcing is what will happen to your current revenue, will your customers stop paying you? Think again. Open Source is no longer a pariah to venture funding. Scalable business models can be built around Open Source. MongoDB and RethinkDB are great examples. MongoDB got funded at a valuation of a billion dollars. Here are some revenue sources:

1. Hosting: WordPress makes money off blogs hosted at WordPress.com – they own the brand.

2. Support: RedHat and all the Open Source databases make their money out of support.

3. Implementation and Deployment: SugarCRM, OpenERP and others make money via their partner network, who in turn give implementation, deployment and training services to their customers.

4. Sponsorship: As your property gets more and more visitors on the web, it will be a great opportunity to find sponsors. Examples Mozilla and others.

5. Consulting: Over high value consulting to paying customers. Enterprises are already paying huge sums to licensed vendors. With money on the table, they will be happy to buy premium consulting from your company. Example, PerconaDB

Let Us Lead

The sharing economy has already begun and is going to be the future. India is coming from behind as far as the software product revolution is concerned, but Open Source can be a great enabler in helping all of us break in.

The Buddha never patented the eight-fold path and neither did Patanjali copyright Yoga. Knowledge grows when you share it and same is true for software. The more used your software becomes, the better it will get and the faster you will reach to nirvana.