https://community.isc2.org/t5/Industry-News/Sidewalk-security-and-PopulistNet/m-p/42867#M5284 <P>I've been seeing mentions of Amazon Sidewalk, and how it is going to destroy security and privacy as we know it.&nbsp; <A href="https://community.isc2.org/t5/Privacy/Amazon-Sidewalk-Another-Privacy-Failure/m-p/41356#M1203" target="_blank" rel="noopener">AppDefects mentioned it</A>.&nbsp; <A href="https://community.isc2.org/t5/Privacy/Disable-this-technology-Amazon-started-sharing-your-internet/m-p/41663#M1214" target="_blank" rel="noopener">So did Caute_cautim</A>.&nbsp; But it is, of course, the <A href="http://catless.ncl.ac.uk/Risks/" target="_blank" rel="noopener">RISKS Forum Digest</A> that finally got me to read up and figure out what it is all about.</P><P>&nbsp;</P><P>Lo and behold, Sidewalk is my old friend PeopleNet, or <A href="https://blogs.securiteam.com/index.php/archives/1390" target="_blank" rel="noopener">PopulistNet</A>.&nbsp; Well, a sort of cut-down version of it, and limited to Amazon devices (and therefore completely owned by Amazon, which sort of defeats the original purpose).&nbsp; But, I suppose it is a start.</P><P>&nbsp;</P><P>(By the way, if Amazon has patented any of this, my article was published in 2010, so it could probably invalidate some of the patents by being prior art ...)</P><P>&nbsp;</P><P>Amazon has attempted to head off some of the undoubted complaints about security and privacy by detailing some provisions of security for the Sidewalk network, and publishing those in a <A href="https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf" target="_blank" rel="noopener">white paper</A>.&nbsp; Stripped to it's essentials, it's basically a version of Tor.&nbsp; There are "layers" of encryption, corresponding the the OSI application and network layers (and one more "just for show," as Tevye would put it).&nbsp; There is also a promise to limit bandwidth (which probably has as much to do with preventing usage-based denial of service as anything else).</P><P>&nbsp;</P><P>In regard to encryption, key exchange is vital.&nbsp; Sidewalk relies upon&nbsp;Ephemeral Elliptic Curve Diffie-Hellman.&nbsp; A decent protocol, to be sure, but what kind of key size are we talking about?&nbsp; Then there is the blythe promise of "random" key generation.&nbsp; (We know that "random" is not possible, and there is no detail on how any pseudorandom data is generated.)&nbsp; (There is a good deal of digital certification going on, and there is a kind of certificate revocation list, which is comforting.&nbsp; At least they seem to have covered the basics.)</P><P>&nbsp;</P><P>Amazon's use of encryption is supposed to protect privacy, but the wording that the Sidewalk Network Server makes it "difficult" to de-anonymize data implicitly admits that it isn't impossible.&nbsp; It will be interesting to see, with the aggregation of undoubtedly huge amounts of data, how difficult or easy this might be.</P><P>&nbsp;</P><P>When I first proposed PopulistNet, I knew that securing such communications would be a non-trivial task.&nbsp; I still hope for some kind of open-source exploration of the idea on a much wider scale than Amazon.&nbsp; Sidewalk does provide some ideas for the securing of such a system.</P> Mon, 09 Oct 2023 09:46:53 GMT rslade 2023-10-09T09:46:53Z https://community.isc2.org/t5/Industry-News/Sidewalk-security-and-PopulistNet/m-p/42867#M5284 <P>I've been seeing mentions of Amazon Sidewalk, and how it is going to destroy security and privacy as we know it.&nbsp; <A href="https://community.isc2.org/t5/Privacy/Amazon-Sidewalk-Another-Privacy-Failure/m-p/41356#M1203" target="_blank" rel="noopener">AppDefects mentioned it</A>.&nbsp; <A href="https://community.isc2.org/t5/Privacy/Disable-this-technology-Amazon-started-sharing-your-internet/m-p/41663#M1214" target="_blank" rel="noopener">So did Caute_cautim</A>.&nbsp; But it is, of course, the <A href="http://catless.ncl.ac.uk/Risks/" target="_blank" rel="noopener">RISKS Forum Digest</A> that finally got me to read up and figure out what it is all about.</P><P>&nbsp;</P><P>Lo and behold, Sidewalk is my old friend PeopleNet, or <A href="https://blogs.securiteam.com/index.php/archives/1390" target="_blank" rel="noopener">PopulistNet</A>.&nbsp; Well, a sort of cut-down version of it, and limited to Amazon devices (and therefore completely owned by Amazon, which sort of defeats the original purpose).&nbsp; But, I suppose it is a start.</P><P>&nbsp;</P><P>(By the way, if Amazon has patented any of this, my article was published in 2010, so it could probably invalidate some of the patents by being prior art ...)</P><P>&nbsp;</P><P>Amazon has attempted to head off some of the undoubted complaints about security and privacy by detailing some provisions of security for the Sidewalk network, and publishing those in a <A href="https://m.media-amazon.com/images/G/01/sidewalk/final_privacy_security_whitepaper.pdf" target="_blank" rel="noopener">white paper</A>.&nbsp; Stripped to it's essentials, it's basically a version of Tor.&nbsp; There are "layers" of encryption, corresponding the the OSI application and network layers (and one more "just for show," as Tevye would put it).&nbsp; There is also a promise to limit bandwidth (which probably has as much to do with preventing usage-based denial of service as anything else).</P><P>&nbsp;</P><P>In regard to encryption, key exchange is vital.&nbsp; Sidewalk relies upon&nbsp;Ephemeral Elliptic Curve Diffie-Hellman.&nbsp; A decent protocol, to be sure, but what kind of key size are we talking about?&nbsp; Then there is the blythe promise of "random" key generation.&nbsp; (We know that "random" is not possible, and there is no detail on how any pseudorandom data is generated.)&nbsp; (There is a good deal of digital certification going on, and there is a kind of certificate revocation list, which is comforting.&nbsp; At least they seem to have covered the basics.)</P><P>&nbsp;</P><P>Amazon's use of encryption is supposed to protect privacy, but the wording that the Sidewalk Network Server makes it "difficult" to de-anonymize data implicitly admits that it isn't impossible.&nbsp; It will be interesting to see, with the aggregation of undoubtedly huge amounts of data, how difficult or easy this might be.</P><P>&nbsp;</P><P>When I first proposed PopulistNet, I knew that securing such communications would be a non-trivial task.&nbsp; I still hope for some kind of open-source exploration of the idea on a much wider scale than Amazon.&nbsp; Sidewalk does provide some ideas for the securing of such a system.</P> Mon, 09 Oct 2023 09:46:53 GMT https://community.isc2.org/t5/Industry-News/Sidewalk-security-and-PopulistNet/m-p/42867#M5284 rslade 2023-10-09T09:46:53Z https://community.isc2.org/t5/Industry-News/Sidewalk-security-and-PopulistNet/m-p/42892#M5285 <P>Soooooo if Amazon owns it, could they shut it down or kick you off if you violated groupthink?</P> Wed, 27 Jan 2021 16:32:51 GMT https://community.isc2.org/t5/Industry-News/Sidewalk-security-and-PopulistNet/m-p/42892#M5285 CISOScott 2021-01-27T16:32:51Z