cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
rslade
Influencer II

Sidewalk, security, and PopulistNet

I've been seeing mentions of Amazon Sidewalk, and how it is going to destroy security and privacy as we know it.  AppDefects mentioned itSo did Caute_cautim.  But it is, of course, the RISKS Forum Digest that finally got me to read up and figure out what it is all about.

 

Lo and behold, Sidewalk is my old friend PeopleNet, or PopulistNet.  Well, a sort of cut-down version of it, and limited to Amazon devices (and therefore completely owned by Amazon, which sort of defeats the original purpose).  But, I suppose it is a start.

 

(By the way, if Amazon has patented any of this, my article was published in 2010, so it could probably invalidate some of the patents by being prior art ...)

 

Amazon has attempted to head off some of the undoubted complaints about security and privacy by detailing some provisions of security for the Sidewalk network, and publishing those in a white paper.  Stripped to it's essentials, it's basically a version of Tor.  There are "layers" of encryption, corresponding the the OSI application and network layers (and one more "just for show," as Tevye would put it).  There is also a promise to limit bandwidth (which probably has as much to do with preventing usage-based denial of service as anything else).

 

In regard to encryption, key exchange is vital.  Sidewalk relies upon Ephemeral Elliptic Curve Diffie-Hellman.  A decent protocol, to be sure, but what kind of key size are we talking about?  Then there is the blythe promise of "random" key generation.  (We know that "random" is not possible, and there is no detail on how any pseudorandom data is generated.)  (There is a good deal of digital certification going on, and there is a kind of certificate revocation list, which is comforting.  At least they seem to have covered the basics.)

 

Amazon's use of encryption is supposed to protect privacy, but the wording that the Sidewalk Network Server makes it "difficult" to de-anonymize data implicitly admits that it isn't impossible.  It will be interesting to see, with the aggregation of undoubtedly huge amounts of data, how difficult or easy this might be.

 

When I first proposed PopulistNet, I knew that securing such communications would be a non-trivial task.  I still hope for some kind of open-source exploration of the idea on a much wider scale than Amazon.  Sidewalk does provide some ideas for the securing of such a system.


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
1 Reply
CISOScott
Community Champion

Re: Sidewalk, security, and PopulistNet

Soooooo if Amazon owns it, could they shut it down or kick you off if you violated groupthink?