Hey folks… I don’t want to be a buzzkill here, but in many of my past day jobs, I have been responsible for ensuring that no one could do bad things with the software systems that I developed.
One thing has occurred to me a few times as I get my feet wet in the world of cloud-connected micro controllers: it seems like it would be really easy to do terrible things at a distance with these devices. With the combination of sensors and digital control outputs, well, the prospect just seems scary.
I’m sure the Spark founders have thought of this, but are there any kind of mitigation factors in place to prevent people from doing bad things with Sparks? Or deterrents such as accountability if something bad was done with a Spark?
What kind of things are you thinking about? What kind of attack vectors?
I, for example, have a Spark connected to my front door controlling the lock. I would be very interested to know if others can talk to that core w/o my say so.
I’m not talking about someone hijacking your core. I’m talking about someone using their own core to do terrible things. With a battery power source and a battery-powered nearby MiFi card/hotspot, the core can be used to remotely trigger all sorts of things.
People can use cars, cell phones, alarm clocks and a host of other day-to-day objects for bad things, but that is the responsibility of the user/owner not the manufacturer.
This is a good question, and something we’ve spent a lot of time thinking about. I think ultimately it’s a very hard problem. It’s easy to imagine almost every tool ever made could be used positively or negatively.
If you want to prevent anybody using any electronics anywhere for malicious purposes, I think you’ll need to approach that from a legal / socio-political angle. Personally, as an engineer I’m committed to not building weapons. I’d rather spend my time helping people build cool stuff.
I’m not suggesting that we prevent people from innovating, and I’m certainly not over-reacting. Anybody who has seen the things I’ve seen wouldn’t consider my thoughts an over-reaction. There is normally a barrier to entry to these types of activities, a level set of skills necessary to pull it off. Every year, technology lowers that bar, making it easier for people who otherwise would have been unable to commit these crimes. The solution isn’t to hide or restrict the technology (that’s totally counter to the open-source hardware movement)… but that doesn’t mean it’s ok to cover your eyes and pretend it isn’t or won’t happen.
I was really just wondering if you folks keep audits/traces of the use of the spark cloud (IPs, geo coords, accounts, spark ID) so that if someone did do something bad with a spark, it can be tracked.
I’m not saying that it’s not possible to do bad things with it, I just think there’s a line you must draw to how much you can do to prevent it.
You’d be amazed about how many explosive/hazardous materials can be made with household items. If you had to track each and every purchase of that, then you’d end up with NSA spying levels. You could stab someone to death with a spoon if you’re really determined, but that doesn’t mean you should track all spoons.
It takes only a few trivial electrical components and a prepaid phone to make a remote trigger, you don’t even need a “smart device” for that, the audio jack will suffice.
You can’t stop a determined person from doing something bad, no matter how hard you try. There’s only so much you can do to prevent that, and tracking personal data isn’t the best way I think. The problem with tracking data for potential misuse mean that you also have to track all data that isn’t misused. There’s recently been quite a riot about that…
I have done many projects with my Spark core such as a tweeting bitcoin miner a automatic solar tracker and many more projects but I also love security and it is on of my passions. I have taken a spark core and put it into a usb powered keyboard and the keyboard worked as normal but I put a switch in at the bottom that would turn the core on and off. the core ran a automated script that would scan the computer for files of interest and would open a ssh server on the computer and save the username and password of the ssh server to the cores memory. The core could be easily taken in and out of the keyboard in about 4 to 5 seconds. I did this only to my test computer and then I took out the spark core so I could make new projects. You should not be scared because there is very little you can do and this was only the first of my computer security projects using the core. I don’t publish my code for this project for obvious reasons. No device is good nor evil it’s how the user chooses to use the device.
There are all kinds of logs kept by the cloud software, but their intent is to facilitate development and problem solving, not to track/audit users.
I suppose these logs could be subpoenaed, just like anything else; but the retention time will be driven by their primary use (e.g. improving service, debugging problems, disk quotas) rather than any legal policy or directive.
Since my responses obviously strike you as naive, I’ll turn it around and ask you: what you would regard as reasonable and why (geo isn’t available, since there is no geo unless you happen to connect one to a GPS) ?
