LibrePlanet

by Eric Schultz, Community Manager

I was recently asked to speak at LibrePlanet about my experiences working with the FCC on WiFi radio regulations. I was delighted to speak on the topic and prpl Foundation was gracious enough to send me.

Eric at LibrePlanetFor those who aren’t aware, LibrePlanet is the Free Software Foundation’s yearly celebration of free and open source software. LibrePlanet is a unique conference in that it mixes socially conscious technology users and creators with leaders in the free and open source software space. Attending LibrePlanet works best when you spend most of your time listening, and that’s exactly what I did. It’s fascinating to see how a diverse set of people look at social problems and see how open source software can be used to address those problems. While there I did find time to share some of the interesting work that prpl Foundation is doing; there’s a lot of interest among many parties about how prpl’s work on an open source secure boot and OpenWrt/LEDE could be used by individuals and smaller manufacturers. Continue reading

EEMBC and prpl align to drive use of hypervisors to create security-by-separation for a more trusted IoT

Collaboration to assess performance overhead of virtualization technologies in embedded devices

SANTA CLARA, CALIF – April 4, 2017 – Today the prpl Foundation and EEMBC announced a formal partnership to advance the use of security-by-separation in Internet of Things (IoT) edge devices. By developing an industry-standard hypervisor benchmark, the collaboration aims to shatter the perception that the use of hardware virtualization in low-power embedded devices comes with big performance and energy overheads.

Continue reading

Prpl Foundation tackles how to secure the Internet of Things at Embedded World 2017

Not for profit and its members showcase innovation and push the limits of embedded computing

Santa Clara, Calif. – 9 March 2017 – At Embedded World in Nuremburg, 14-16 March 2017, prpl Foundation and several of its member companies will address of the security concerns presented by embedded computing systems as they become more intertwined in our lives.

During two separate presentations on March 14 at the show, prpl’s chief security strategist, Cesare Garlati, will outline and demonstrate how a new separation-based approach anchored in hardware can create the trust needed across the IoT from node to cloud. How We Can Fix Embedded Computing Through an Open Source, Silicon-Layer Approach will take place at 9:30-10:00 and the Interactive Session: How a New Hardware-Based Approach Can Fix Critical Areas of Embedded Computing Security will take place at 14:30 – 15:00.

Continue reading

(Not so) Random Musings from RSA Conference 2017

Cesare Garlati, Chief Security Strategist, prpl Foundation

cesare-garlati-rsa-sf-2017The world’s great and good of the information security industry descended on San Francisco this week for RSA Conference 2017. On the surface, it looked like more of the same this year.  There weren’t a huge amount of new companies exhibiting this year and the traditional vendors all seemed to be consolidating and streamlining their product lines in attempt to demystify buyers.  It even saw the McAfee brand back this year after a noticeable absence in the previous “Intel Security” era.

What was extremely apparent, however, was a return to the future.  By this I mean the return of focus on securing  the endpoint.  From laptops, desktops and mobile phones, BYOD reared its head again under a different guise – Bring Your Own Anything.  The reason for this is likely the shift to the cloud and away from traditional on-premises offerings, where RSA vendors have typically focused in the past.  This trend has meant that as applications, services and virtual workloads move to the cloud and third parties, the corporate data centre is becoming less and less central to IT budgets.  As such, we are now seeing a trend where established vendors are following suit and looking once again the endpoint as a source of revenue, albeit from a slightly different perspective this time.

This difference comes in the form of Internet of Things (IoT) – which, based on the amount of presentations at RSA this year, is clearly of major significance within the industry.  Kaspersky jumped on the bandwagon and announced its platform for IoT and AT&T, IBM, Symantec and others announced an IoT Cybersecurity Alliance.

RSA Conference 2017
RSA Conference 2017

But is IoT just another buzzword? The scepticism comes from the fact that traditionally, RSA has been a datacenter/network security event.  Granted, network perimeters are changing significantly with the advent of things like the cloud and IoT, but I’m still unconvinced that people can define IoT successfully in this context.  It simply isn’t a problem that traditional network security is going to fix, as evidenced in prpl’s extensive research into how to secure the IoT. We know that security IoT has to start at the hardware level, and that traditional RSA conference vendors have little understanding of this space

It was encouraging to see a large presence by the not for profit Cloud Security Alliance that was poised to tackle the IoT issues and the crowd for the CSA seminar exceeded 1,400 – with queues out of the door for attendance.  Its approach, which advocates open standards, is one which prpl aligns itself with and it is heartening to see everyone coming together in an organised manner to undertake the problems associated with IoT security.

Finally, the last significant observation for me at RSA was the emerging role of identity  as it relates to securing corporate data.  There was a lot of innovation happening around the idea of making passwords obsolete and start-up UnifyID even took the RSA Innovation Sandbox contest with its implicit authentication platform that combines machine learning and the array of devices around us to match our bodies, and more specifically the way we move, to our identities.

It’s innovations like these and the group mentality of coming together to face security issues head on that mean RSA will be successful for years to come. It just needs scratching away at the surface to get to the real innovation: end to end security cloud to silicon.

FCC Software Configurable Radio Whitepaper

By Eric Schultz, Community Manager, prpl Foundation

I’m excited to be wrapping up this year’s work in the Software Configurable Radio (SCR) sub-group. After a lot of work, I’m happy to report that on December 7, the Technical Advisory Council (TAC) of the FCC approved for release the sub-group’s report.

As background, I’ve been researching and speaking on the topic of regulations related to wireless radios and open source over the last year and half. Given the controversy over these regulations, the TAC, an independent advisory board for the FCC, decided that reviewing the topic would be helpful for regulators. Notably, the SCR sub-group wasn’t charged with addressing any of the particular regulations proposed by the FCC. Instead, the sub-group was asked to consider a more general topic:

“How to strike the appropriate balance between embedding frequency security mechanisms into Software Defined Radios while allowing innovation and the flexible addition of features”

While the sub-group began work in May and ended at the end of November; I was invited to join the group in late October. It was an honor to be asked to participate and a joy to work with experts committed to understanding a difficult topic. I was particularly encouraged by how dedicated every member of the sub-group was to understanding the needs of those from groups they didn’t represent. Every member understood why they were there but they were open to other viewpoints. The sub-group member’s open-mindedness is reflected in the document not only as it applies to technical mechanisms for embedding frequency security mechanisms but also in the social and economic effects of those mechanisms.

As the sub-group analyzed the problem and potential technical solutions we soon realized that finding a balance was not possible for the group in the limited time allotted. The questions we were being asked, although seemingly straightforward technically, actually reach into areas like humanitarian and rescue efforts, amateur radio, international travel, public safety, consumer rights, maker communities, manufacturing economics and others. Even within the free and open source software community, which I represented through prpl, there are many different facets and viewpoints to be analyzed and considered. Given our limitations and the breadth of the topic, the group made a unanimous recommendation that:

“the FCC encourage the formation of a multi-stakeholder forum to find a way in which manufacturers can strike the appropriate balance between embedding security mechanisms into software configurable radios and their ecosystem to ensure compliance with FCC service rules, while allowing innovation and the flexible addition of features, and fostering cybersecurity overall.”

I think this is a fantastic conclusion. We all benefit when individuals from diverse communities collaborate to work on difficult problems. Through this collaborative effort, I’m convinced we will be able to find solutions that meet the needs of the broadest range of people and, in particular, protect the core interests of the open source community. I also look forward to learning more about the specific problems regulators are seeing so we can work collaboratively to address them. In many ways, this effort mirrors how prpl Foundation approaches problems: bringing all relevant parties together to find solutions that meet the needs of everyone involved.

While the decision about how to handle the sub-group’s recommendation lies with the FCC, I’m heartened that Julius Knapp, Chief of the FCC’s Office of Engineering and Technology, spoke supportively during the TAC meeting about having a multi-stakeholder forum look into this topic further. It’s also reassuring that a number of members of the subgroup, including myself, offered to continue their participation in a multi-stakeholder forum. I look forward to participating in the multi-stakeholder forum, should it be created, and in providing advice to all parties as they look to better understand how to balance the interests of the open source community with the interests of regulators.

Prpl interviewed by Share Radio on smart home security

While Cesare Garlati, prpl’s chief security strategist, was in London in December, he visited the Share Radio studios to pre-record an interview on the prpl Smart Home Security Report. His interview was aired on the 13th of December as part of the Share Radio Evening Show.

Cesare Garlati at Share Radio studiosCesare tackles the issue of whether smart homes are as secure as they should be and refers to prpl’s one of a kind global study that found that while there was more adoption of smart devices people were failing to secure their smart home. Jinan Rahma of Share Radio spoke to Cesare and began by asking whether the smart home was a thing of the future and dove deeper into what users should be doing to protect their connected homes.

shareradioThe full podcast is available to listen to here: https://www.shareradio.co.uk/podcasts/are-smart-homes-as-secure-as-they-could-be-13-dec-16/

Prpl takes part in IoTSF discussions on industry collaboration

Last Tuesday the prpl Foundation took part in the annual IoTSF conference in London. Art Swift, President on the prpl Foundation, took part in a panel Tuesday afternoon on “United We Stand; Addressing the Bigger Challenges of IoT Security with Collaboration”. The panel centered around the idea of the building an “Internet of Trust” and how security through collaboration can help. Along with Art, the panel featured John Hayne, chairman of the IoTSF, Paul Wilson of the Multos Consortium, Hugh Boyes of the IET, Idris Jahn from IoTUK and Aapo Markkanen, principle Analyst at Machina Research.iotsf

The panel began by asking each member how they see the IoT terrain changing over the next few years, and how can the current work being done by the IoTSF in promoting best practices in security could help this. The main theme throughout all answers was simple: trust. The IoT needs to invest in a supply chain of trust between manufacturers and consumers,with consumers being able to trust that the security of the products is up to standard, and that manufacturers will take the security of their products more seriously. Continue reading