Friday, July 29, 2011

Yours Truly is Opening Act for TiE MN "How Did You Do It" Series

Just a quick post to mention that I'll be delivering a brief presentation as an opening act for Phil Soran, CEO of Minnesota-grown Compellent, which was just recently acquired by Dell for (...GASP...) $960 Million.

TiE Minnesota is kicking off a series called "How Did You Do It," which showcases successful entrepreneurs and asks them to explain how they got to where they are.

In addition to the "successful" entrepreneur, TiE will be inviting a "start-up" entrepreneur to kick things off with a short presentation of what life is like in the beginning, when the thought of a $960M exit provides extreme motivation, but sometimes feels impossible to achieve.

(In case it wasn't obvious, I'm the "start-up" in this equation!)

Wednesday, August 10, 2011 - 6:30pm - 9:00pm

University Hall, McNamara Alumni Center, U of M
200 Oak street SE, #35
Minneapolis 55455
United States

Come check it out! Registration and more details here:

http://minnesota.tie.org/event/34/how-did-you-do-it-series-inaugeral-event-phil-soran-ceo-dellcompellent-1

Wednesday, July 27, 2011

The Economic Reality of Mobile Device Security

The smarty-pants over at iSEC Partners demonstrated a GSM network hack to break into a car, presumably one equipped with OnStar or a similar system.

http://news.cnet.com/8301-27080_3-20083906-245/expert-hacks-car-system-says-problems-reach-to-scada-systems/

This is a really important conversation that I've been tracking since 2005. They nailed about 1/3 of the problem with this statement:
One problem is that vendors are using smaller chipsets to save money and they don't have enough code space to handle large number cryptographic processing.
The simple economics are that faster chips are more expensive, require more electrical power, and tend to be larger in size. So if you really want to squeeze the last dollar out of an embedded system (which you do if you're going to build millions of them and sell them at the biggest margin possible), you use the cheapest chips possible. Similarly, if you want the device as small and/or low-powered as possible, you typically have to make compromises on speed as well. Combine all three of these requirements, and you tend to end up picking a pretty wimpy little CPU.

Encryption is really hard work, even for a computer. So much so, that for many embedded sensor devices or other systems, the actual work being done on the device is far less complex than the task of encrypting the data for transmission or storage. So it becomes a very expensive proposition to do encryption.

The other problem that they failed to mention is that encrypted messages tend to require MUCH more bandwidth. Sending a given message in an encrypted format requires more bytes than sending it without encryption. And when you want to scrunch the data down into the smallest possible M2M wireless data plan, encryption becomes very expensive here as well. Even if you have sufficient horsepower on board, the monthly overhead of a bigger data plan can represent millions of dollars added to the cost of your product. For something as wide-spread as OnStar, this might be tens or even hundreds of millions of dollars.

The reason I think that the chip itself is only 1/3 of the problem is because the bandwidth costs are recurring and never-ending. Going from a $10 chip to a $20 chip might increase the cost of your product by $10 up front, but going from a $5/month data plan to a $7/month data plan will increase the cost of your product a lot more over time.

But the fundamental problem with security is that it is what we in the software world call a "non-functional requirement".

Product requirements break down into two categories: functional, and non-functional requirements. Functional requirements represent the stuff your product needs to do in order to fulfill its intended purpose for your customer. "Unlock the door on the car" is a functional requirement. Non-functional requirements are requirements that don't directly meet the customer's need, but are required in order to deliver the product. They represent "criteria that can be used to judge the operation of a system, rather than specific behaviors." (Wikipedia)

Unfortunately, when you start figuring out the cost of a system, the non-functional requirements are the first to take a hit. You can get the job done without it. Whether or not you can do the job well, or properly, may be up for debate. It is the difference between "must" and "should".

Most mobile embedded systems can do everything they need to do with a less powerful computer chip and a cheaper mobile data plan. When you do the cost analysis, meeting stronger non-functional requirements around security becomes really expensive. But they're a business, so they want to bring the product to market at a competitive price, with the highest margins they can manage. There's no laws covering this kind of information, and the consumer hasn't demanded stronger security. So they simply don't do it.

Like almost everything in the world, it all comes down to money and risk. If people really cared about security, they would demand it. But then the cost of many services we take for granted today would go up significantly. Some might no longer be economically feasible. So...how much do you want to pay for someone to say "Hello, this is OnStar, how can I help you?" at the push of a little red button?

The only good news in this is that both chips and bandwidth are becoming cheaper. Who knows...by the time the public starts demanding secure systems, it might actually be feasible to deliver them.

Friday, July 1, 2011

Stopping to Smell the Technological Roses

Interesting times. Here it comes again. Another cheezy "ain't life awesome?" moment from Neal. You've been warned...continue at your own risk.

I'm sitting on a plane writing this post using the brand new Motorola XOOM I just got recently, while listening to Andrew Bird's latest album in CD quality stereo. I spent an hour or so scribbling some design notes for the next big feature to be implemented in TelemetryWeb, and just got done watching a couple of TED Talk videos in HD that I downloaded before the flight. I'm doing all this while travelling hundreds of miles per hour, 30,000 feet above the surface of the planet, in total comfort. Sure, I'm flying coach. But it sure beats trying to go from Atlanta to Minneapolis in a stagecoach on a dirt road.

As a technologist, these are my favorite moments. Those times when the power and potential of everything the human race is building crashes over you like a giant wave.

One of the TED Talks was by Ed Boyden. He showed how his team is beaming rays of light directly into a mouse's brain cells to alleviate problems ranging from depression to blindness. I like to think that I'm working on some pretty bleeding-edge stuff, but his technology is just plain nutty.

I dare anyone to watch a few TED talks and NOT feel good about all the smart people doing amazing things out there in the intersection between technology and society. Most of the technology we interact with simply didn't exist 150 years ago. Air conditioning. Internal combustion engines. Recorded sound and video. Computers. Airplanes. Space travel. The percentage of people globally who own a cell phone is staggering...even in some of the poorest parts of Africa.

Sure, there's a lot of bad stuff going on too. Sony's PlayStation Network got hacked. Heroku was under a DDoS attack. Amazon's cloud went down. Credit card information is being stolen from someone as we speak. An exploit kit for SCADA networks has been published to the wild. And the government still sucks at cyber security and protecting privacy. I'm not even going to start talking about recent wars and nuclear disasters.

It is true: the more we build, the more problems we create for ourselves. And maybe someday we'll create a problem so big that it will be the end of us all. But so far technology has an outstanding track record for fixing more problems than it makes. Our lives today are longer and more comfortable overall than any previous time in history, by just about any measure you can judge. The planet's capacity for producing food 100 years ago couldn't possibly support the world's population today, yet the majority of humans worry less today about finding their next meal than ever before.

We're going to have to double our capacity again by 2050 to support the world's population growth, and figure out how to do it all with the same amount of water that we have today. These are BIG problems to solve.

But take a step back and appreciate where we are, how far we've come, and how rapidly innovation and technology is accelerating. Give yourself just a moment to believe that we will find solutions for these problems. It'll make you feel good...at least until you turn on the 5 o'clock news.