Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday August 25 2017, @07:44AM   Printer-friendly
from the I-need-a-new-IoT...-and-make-it-Snappy! dept.

Submitted via IRC for TheMightyBuzzard

Snappy, a software deployment and management system designed by Canonical for the Ubuntu operating system, could be a shortcut to building trusted IoT applications.

The first rule of building a secure and feature-rich ecosystem is software management — push and pull software updates and software discovery through an app store mechanism from a trusted source.

In the go-to-market IoT race, though, that often doesn't happen. Many Internet of Things (IoT) product developers have ignored the traumatic early history of Microsoft Windows, Android and web platforms, and expoits of IoT devices — because software updates have not been designed in — are regularly reported.

Those earlier platforms have been hardened, updates have been automated, and the app discovery and installation have been made trustworthy. IoT developers need to follow their lead. 

Snappy, a software deployment and package management system designed and built by Canonical for the Ubuntu operating system, could be a shortcut to building a trusted IoT application.

The Ubuntu-Core required to integrate Snappy software management system uses 612MB, and snapd, the endpoint software management service needed to interact with Snappy, uses 15MB. The IoT device would need 627MB-plus memory for the IoT app called a snap. Because of memory and computational constraints, it is not a solution for ultra-low-power, small memory microcontroller devices but would work with 32-bit devices like the Raspberry Pi. Nevertheless, a review of Snappy is worth the time because it clearly explains a fairly complete approach to the problem of trusted software management and distribution.

Source: https://www.networkworld.com/article/3219725/internet-of-things/this-linux-tool-could-improve-the-security-of-iot-devices.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Touché) by Azuma Hazuki on Friday August 25 2017, @04:10PM (3 children)

    by Azuma Hazuki (5086) on Friday August 25 2017, @04:10PM (#558930) Journal

    See topic. This isn't only stupid, it's ugly, slow, and inefficient. I know aesthetics aren't a moral metric, but it's the dingleberry cherry on top of the crap sundae here.

    People, these things are embedded systems. They should be running only tiny distros like TinyCore or Void with a minimal, auditable set of packages from the manufacturer.

    --
    I am "that girl" your mother warned you about...
    Starting Score:    1  point
    Moderation   +1  
       Touché=1, Total=1
    Extra 'Touché' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 2) by fido_dogstoyevsky on Friday August 25 2017, @09:55PM

    by fido_dogstoyevsky (131) <axehandleNO@SPAMgmail.com> on Friday August 25 2017, @09:55PM (#559126)

    ...This isn't only stupid, it's ugly, slow, and inefficient... People, these things are embedded systems. They should be running only tiny distros like TinyCore or Void with a minimal, auditable set of packages from the manufacturer.

    And, ideally, not an IoT device - hence unstupid, elegant, fast and efficient.

    --
    It's NOT a conspiracy... it's a plot.
  • (Score: 0) by Anonymous Coward on Saturday August 26 2017, @12:26AM

    by Anonymous Coward on Saturday August 26 2017, @12:26AM (#559179)

    I spent a few years in this segment. Believe it or not there *is* a decent market for customization on the fly sort of app store download like firmware. They all want 'I plug it into a modbus and a can bus at the same time' not that you would really do that.... As you know the space is fairly limited. So a 2 gig distro with 600MB patches are a non starter (especially on dataplans that cap out at 5-50 meg per month). But a 10 meg download and the box suddenly has extra functionality is very appealing.

    We spent a lot of time and money on R&D on that exact market segment. The the main company pulled the plug. Not because it was unprofitable (it was doing very well). But that it was not profitable enough and corp politics. Limited hardware SKU was very appealing to IoT re-sellers. Plus it was cool as hell to transform a modbus demo into a gpio pin device in under 30 mins and at min cost and software update. All with the same box. We tried to hit 5MB for the whole thing. Less if we could manage it as even 5MB was too much. This was maybe 3-5 years ago. It was pretty obvious general computing was storming all the way down to the lowest levels. It was not a mater of if, but when.

    600+ meg. *sigh* The guys who get stuck with that device will have a nasty surprise when they try to plug it into an AT&T or Verizon. The cost margin will explode and their profits will be gone and the project DOA. Maybe in 5-10 years.

  • (Score: 2) by Arik on Saturday August 26 2017, @04:10AM

    by Arik (4543) on Saturday August 26 2017, @04:10AM (#559278) Journal
    "I know aesthetics aren't a moral metric,"

    How?

    "but it's the dingleberry cherry on top of the crap sundae here."

    Now that was an apt turn of a phrase.

    "They should be running only tiny distros like TinyCore or Void with a minimal, auditable set of packages from the manufacturer."

    Guessing 'void' is similar. TinyCore is a freaking *nix OS. A fully networked, multi-user general purpose OS.

    That's STILL WAAAAY too much for a garage door opener!

    The more unnecessary junk you stick on these things the less likely they are to be fit for purpose.

    A garage door opener needs to do a very limited number of things. It needs to listen for commands, verify the authority of the commands, and then execute the commands. There are three commands it needs to respond to - open the door, close the door, and report the current state of the door. In addition, it needs to have a power-up or boot routine that verifies the presence of all the necessary hardware and sends an error signal if anything is missing.

    That's it. That's the devices entire scope. It must do all these things, and nothing else. (Feel free to prove me wrong I'm writing this on the fly after more than a few beers and could easily have forgotten something important - point being it's a very short list of fairly simple tasks;  and that while it's important that it do all those things, it's just as important that it do *absolutely nothing else*.)

    It doesn't need a multi-user OS, it doesn't even need a multi-tasking OS. The most resource intensive task it should EVER do is to verify the signature when it receives a command, and it's perfectly acceptable for it to completely ignore everything else for at least a MILLION milliseconds while it works on that. Once the command is verified, then the appropriate sequence of actions is taken and it ends with listening to the network for commands again.

    Aside from the cryptography, a Z80 with 32kb would be overkill for this. Just how much computer do you need to verify a crypto signature, given a second or even a bit more to do it in?

    --
    If laughter is the best medicine, who are the best doctors?