Samsung is in a bit of a pickle. They want people to know that “voice recognition feature is activated using the TV’s remote control”. But let’s face it their disclaimer/warning that comes with a TV gave away the real story:

You can control your SmartTV, and use many of its features, with voice commands.

If you enable Voice Recognition, you can interact with your Smart TV using your voice. To provide you the Voice Recognition feature, some voice commands may be transmitted (along with information about your device, including device identifiers) to a third-party service that converts speech to text or to the extent necessary to provide the Voice Recognition features to you. In addition, Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features. Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.

Nice attempt at raising awareness. Kudos for that. The first thing that jumps out at me is how vague the terms are. Second I noticed controls appear to be weak, or at least buried in some menu somewhere (“activated using your remote!” is basically meaningless). Third, Samsung clearly tries to dissuade you from disabling voice monitoring.

If you do not enable Voice Recognition, you will not be able to use interactive voice recognition features, although you may be able to control your TV using certain predefined voice commands. While Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.

You may disable Voice Recognition data collection at any time by visiting the “settings” menu. However, this may prevent you from using all of the Voice Recognition features.

So that’s a warning that your data can go somewhere, who knows where. On the other hand if you disable data collection you may be prevented from using all the features. Don’t you want all the features? Awful choice we have to make.

Samsung product management should be held accountable for a triad of failures. Really, a TV product manager should be in serious hot water. It is embarrassing in 2015 for a consumer product company of any size to make this large a mistake. We faced these issues at Yahoo product security ten years ago and I am seriously disappointed in Samsung. That also is why I find growing public outrage encouraging.

Yahoo! 2006 “Connected Life” Internet TV device

At Yahoo we had a large team focused on user privacy and safety. Research on Internet TV found novelty in a shared device with individual user privacy needs. On the mobile phone product managers could tell me “there is always only one user” and we would debate multi-user protections. But on the TV, oh the TV was different: multi-user risks were obvious to product managers and it was easy for them to take notice. The outrage against Samsung was easily predictable and avoidable.

Take for example typing your password on a big screen menu in front of a room. Everyone can see. The solution I created a decade ago was based on a simple concept: move user information to a disposable/agile security model instead of an expensive/static one. We developed a throwaway token option to register an account on the big screen instead of asking for a sensitive password.

Type your password into a private system, such as a laptop or phone, and the system sends you a number. You enter that number into the TV. Doesn’t matter if anyone sees the number. That was 2006 as we worked with TV manufacturers on how to keep data in public rooms on shared devices private. Yahoo dominated the Internet share of accounts (2 billion users) around this time so nearly every manufacturer would come through our process. Thus we could try to consult with them before bad code or devices were released.

Samsung should thought this through better on their own by now. For example commands used for the TV could require a keyword to “markup” listening, such as “Hello Samsung” and “Goodbye”. That phrase is basically never going to come up in casual conversation. Phones already do this. Remember CB radio? Lots of good verbal markup ideas there and who wouldn’t enjoy talking to their TV like a trucker?

Also important is visual indication that the TV is listening, such as an annoyingly bright LED that can’t be missed. And third a physical disable switch with tactic and visual feedback would be nice; like switching off an old Marshall amplifier. Perhaps a switch on the remote or a button that lights up like a big red “recording” indicator. And this doesn’t even get into fun answers to how the data is protected in memory, storage and over the wire.

Unfortunately Samsung just gave themselves a black eye instead. I would not buy another product from them until I have hard evidence their product management runs through a legitimate security team/review process. In fact I am now disposing of the Samsung device I did own and there’s a very high chance of migrating to another manufacturer.

Just for some comparison, notice how the camera and facial recognition were described:

Vague:

Your SmartTV is equipped with a camera that enables certain advanced features, including the ability to control and interact with your TV with gestures and to use facial recognition technology to authenticate your Samsung Account on your TV. The camera can be covered and disabled at any time, but be aware that these advanced services will not be available if the camera is disabled.

Specific:

The camera situated on the SmartTV also enables you to authenticate your Samsung Account or to log into certain services using facial recognition technology. You can use facial recognition instead of, or as a supplementary security measure in addition to, manually inputting your password. Once you complete the steps required to set up facial recognition, an image of your face is stored locally on your TV; it is not transmitted to Samsung. If you cancel your Samsung Account or no longer desire to use facial recognition, please visit the applicable settings menu to delete the stored image. While your image will be stored locally, Samsung may take note of the fact that you have set up the feature and collect information about when and how the feature is used so that we can evaluate the performance of this feature and improve it.

---

Updated Feb 23: David Lodge has dumped the network traffic and proved that it is indeed capturing and sending unencrypted text to Samsung. He writes:

What we see here is not SSL encrypted data. It’s not even HTTP data, it’s a mix of XML and some custom binary data packet.

The sneaky swines; they’re using 443/tcp to tunnel data over; most likely because a lot of standard firewall configurations allow 80 and 443 out of the network. I don’t understand why they don’t encapsulate it in HTTP(S) though.

Anyway, what we can see is it sending a load of information over the wire about the TV, I can see its MAC address and the version of the OS in use. After the word buffer_id is a load of binary data, which looks audio-ish, although I haven’t delved further into it yet.

Then, right at the bottom, we have the results:

In private circles I was agitating for a while on the humanitarian crisis in North Korea. Although I have collected a bit of data and insights over the years it just hasn’t seemed like the sort of thing people were interested in or asking about. Not exactly good conversation material.

Then earlier this year I was at Bletchley Park and reading about Alan Turing. A quote of his prompted me to post my thoughts here on North Korea’s humanitarian crisis. Turing said basically (paraphrasing)

I helped my country defeat the Nazis, who used chemical castration to torture people including gays and Jews. In 1952 my country wants to give me the same treatment as a form of “managing” gays.

Turing’s life story was not well known until long after he died. And as we learn more about his tragic end it turns out despite exceptional service to his country he was horribly misunderstood and mistreated. He fought to preserve dignity against spurious charges; his social life and personal preferences caused him much trouble with British authorities. Turing was under constant surveillance and driven into horrible despair. After suffering effects of chemical castration, required by a court order, he committed suicide.

I’ll write more about the Turing incident on another post. Suffice it to say here that in the 1950s there was an intense fear-mongering climate against “gay communist” England. Thousands of men were sent to prison or chemically castrated without any reasonable cause.

Between 1945 and 1955 the number of annual prosecutions for homosexual behaviour rose from 800 to 2,500, of whom 1,000 received custodial sentences. Wolfenden found that in 1955 30% of those prosecuted were imprisoned.

The English enacted horrible treatment, even torture, to gay men for what end exactly? Turing was baffled at being arrested for “gross indecency” not least of all because just ten years earlier he had helped his country fight to protect people against such treatment. A gruesome early death was predictable for those monitored and questioned by police, even without charges.

The reform activist Antony Grey quotes the case of police enquiries in Evesham in 1956, which were followed by one man gassing himself, one throwing himself under a train, leaving widow and children, and an 81 year old dying of a stroke before sentence could be passed.

Why do I mention this? Think about the heavily politicized reports written by Mandiant or Crowdstrike. We see China, Russia and Iran accused of terrible things as if we only should look elsewhere for harm. If you are working for one of these companies today and do not think it possible things you care about abroad could happen at home, this post is for you. I recommend you consider how Turing felt betrayed by the country he helped defend.

Given Turing’s suffering can we think more universally, more forward? Wouldn’t that serve to improve moral high-ground and justifications for our actions?

Americans looking at North Korea often say they are shocked and saddened about treatment of prisoners there. I’ll give a quick example. Years ago in a Palo Alto, California a colleague recommended a book he had just finished. He said it proved without a doubt how horrible communism fails and causes starvation, unlike our capitalism that brings joy and abundance. The obvious touch of naive free-market fervor was bleeding through so I questioned whether we should trust single-source defection stories. I asked how we might verify such data when access was closed.

I ran straight into the shock and disgust of someone as if I were excusing torture, or justifying famine. How dare I question accusations about communism, the root of evil? How dare I doubt the testimony of an escapee who suffered so much to bring us truth about immorality behind closed doors? Clearly I did not understand free market superiority, which this book was really about. Our good must triumph over their evil. Did I not see the obviously worst type of government in the world? The conversation clouded quickly with him reiterating confidence in market theory and me causing grief by asking if that survivor story was sound or complete on its own.

More recent news fortunately has brought a more balanced story than the material we discussed back then. It has become easier to discuss humanitarian crisis at a logical level since more data is available with more opportunity for analysis. Even so, the Associated Press points out that despite thousands of testimonials we still have an incomplete picture from North Korea and no hard estimates.

The main source of information about the prison camps and the conditions inside is the nearly 25,000 defectors living in South Korea, the majority of whom arrived over the last five years. Researchers admit their picture is incomplete at best, and there is reason for some caution when assessing defector accounts.

I noticed the core of the problem when watching Camp 14. This is a movie that uses first-person testimony from a camp survivor to give insights into conditions of North Korea. Testimony is presented as proof of one thing: the most awful death camps imaginable. Camp workers are also interviewed to back up the protagonist story. However a cautious observer would also notice the survivor’s view has notable gaps and questionable basis.

The survivor, who was born in the prison, says he became enraged with jealously when he discovered his mother helping his older brother. He turned in his own mother to camp authorities. That is horrible in and of itself but he goes on to say he thought he could negotiate better treatment for himself by undermining his family. Later he wonders in front of the camera whether as a young boy he might have mis-heard or mis-understood his mother; wonders if he sent his own mother to be executed in front of him without reason other than to improve his own situation.

The survivor also says one day much later he started talking to a prisoner who came from the outside, a place that sounded like a better world. The survivor plots an escape with this prisoner. The prisoner from the outside then is electrocuted upon touching the perimeter fence; the survivor climbs over the prisoner’s body, using it as insulation to free himself.

These are just a couple examples (role of his father is another, old man who rehabilitated him is another) that jumped out at me as informational in a different way than perhaps was intended. This is a survivor who describes manipulation for his own gain at the expense of others, while others in his story seem to be helping each other and working towards overall gains.

I’ve watched a lot of survivor story videos and met in person with prison camp survivors. Camp 14 did not in any way sound like trustworthy testimony. I gave it benefit of the doubt while wondering if we would hear stories of the others, those who were not just opportunists. My concern was this survivor comes across like a trickster who knows how to wiggle for self-benefit regardless of harm or disrespect to those around. Would we really treat this story as our best evidence?

The answer came when major elements of his stories appeared to have been formally disputed. He quickly said others were the ones making up their stories; he then stepped away from the light.

CNN has not been able to reach Shin, who noted in a Facebook post apologizing for the inaccuracies in his story that “these will be my final words and this will likely be my final post.”

My concern is that outsiders looking for evidence of evil in North Korea will wave hands over facts and try to claim exceptional circumstances. It may be exceptional yet without caution someone could quickly make false assumptions about the cause of suffering and act on false pretense, actually increasing the problem or causing worse outcomes. The complicated nature of the problem deserves more scrutiny than easy vilification based on stale reports from those in a position to gain the most.

One example of how this plays out was seen in a NYT story about North Korean soldiers attacking Chinese along border towns. A reporter suggested soldiers today are desperate for food because of a famine 20 years ago. The story simply did not add up as told. Everything in the story suggested to me the attackers wanted status items, such as cash and technology. Certain types of food also may carry status but the story did not really seem to be about food to relieve famine, to compensate for communist market failure.

Thinking back to Turing, how do we develop a logical framework let alone a universal one, to frame ethical issues around intervention against North Korea? Are we starting with the right assumptions as well as keeping an open mind on solutions?

While we can dig for details to shame North Korea for its prison culture we also must consider the International Centre for Prison Studies ranks the United States second only to the Seychelles in per-capita incarceration rate (North Korea is not listed). According to 2012 data almost 1% of all US citizens are in prison. Americans should think about what prison quantitative analysis shows, such as here:

There also are awful qualitative accounts from inside the prisons, such as the sickening Miami testimony by a former worker about killing prisoners through torture, and prisoner convictions turning up to have zero integrity.

Human Rights Watch asked “How Different are US Prisons” given that federal judges have called them a “culture of sadistic and malicious violence”. Someone even wrote a post claiming half of the world’s worst prisons are in the US (again, North Korea is not listed).

And new studies tell us American county jails are run as debtor prisons; full of people guilty of very minor crimes yet kept behind bars by court-created debt.

Those issues are not lost to me as I read the UN Report of the Commission of Inquiry on Human Rights in the Democratic People’s Republic of Korea. Hundreds of pages give detailed documentation of widespread humanitarian suffering.

Maintaining a humanitarian approach, a universal theory of justice, seems like a good way to keep ourselves grounded as we wade into understanding crisis. To avoid the Turing disaster we must keep in mind where we are coming from as well as where we want others to go.

Take for example new evidence from a system where police arrest people for minor infractions and hold them in fear and against their will, in poor conditions without representation. I’ll let you guess where such a system exists right now:

They are kept in overcrowded cells; they are denied toothbrushes, toothpaste, and soap; they are subjected to the constant stench of excrement and refuse in their congested cells; they are surrounded by walls smeared with mucus and blood; they are kept in the same clothes for days and weeks without access to laundry or clean underwear; they step on top of other inmates, whose bodies cover nearly the entire uncleaned cell floor, in order to access a single shared toilet that the city does not clean; they develop untreated illnesses and infections in open wounds that spread to other inmates; they endure days and weeks without being allowed to use the moldy shower; their filthy bodies huddle in cold temperatures with a single thin blanket even as they beg guards for warm blankets; they are not given adequate hygiene products for menstruation; they are routinely denied vital medical care and prescription medication, even when their families beg to be allowed to bring medication to the jail; they are provided food so insufficient and lacking in nutrition that inmates lose significant amounts of weight; they suffer from dehydration out of fear of drinking foul-smelling water that comes from an apparatus on top of the toilet; and they must listen to the screams of other inmates languishing from unattended medical issues as they sit in their cells without access to books, legal materials, television, or natural light. Perhaps worst of all, they do not know when they will be allowed to leave.

And in case that example is too fresh, too recent with too little known, here is a well researched look at events sixty years ago:

…our research confirms that many victims of terror lynchings were murdered with out being accused of any crime; they were killed for minor social transgressions or for demanding basic rights and fair treatment.
[…]
…in all of the subject states, we observed that there is an astonishing absence of any effort to acknowledge, discuss, or address lynching. Many of the communities where lynchings took place have gone to great lengths to erect markers and monuments that memorialize the Civil War, the Confederacy, and historical events during which local power was violently reclaimed by white Southerners. These communities celebrate and honor the architects of racial subordination and political leaders known for their belief in white supremacy. There are very few monuments or memorials that address the history and legacy of lynching in particular or the struggle for racial equality more generally. Most communities do not actively or visibly recognize how their race relations were shaped by terror lynching.
[…]
That the death penalty’s roots are sunk deep in the legacy of lynching is evidenced by the fact that public executions to mollify the mob continued after the practice was legally banned.

The cultural relativity issues of our conflict with North Korea are something I really haven’t seen anyone talking about anywhere, although it seems like something that needs attention. Maybe I just am not in the right circles.

Perhaps I can put it in terms of a slightly less serious topic.

I often see people mocking North Korea for a lack of power and for living in the dark. Meanwhile I never see people connect lack of power to a June 1952 American bombing campaign that knocked out 90% of North Korea’s power infrastructure. This is not to say bomb attacks from sixty years ago and modern fears of dependency on infrastructure are directly related. It is far more complex.

However it stands to reason that a country in fear of infrastructure attacks will encourage resiliency and their culture shifts accordingly. A selfish dictator may also encourage resiliency to hoard power, greatly complicating analysis. Still I think Americans may over-estimate the future for past models of inefficiencies and dependency on centralized power. North Korea, or Cuba for that matter, could end up being global leaders as they figure out new decentralized and more sustainable infrastructure systems.

Sixty years ago the Las Vegas strip glare and consumption would be a marvel of technology, a show of great power. Today it seems more like an extravagant waste, an annoyance just preventing us from studying the far more beautiful night sky full of stars that need no power.

Does this future sound too Amish? Or are you one of the people ranking the night sky photos so highly that they reach most popular status on all the social sites? Here’s a typical 98.4% “pulse” photo on 500px:

Night at the Lake by hipydeus

Imagine what Google Glass enhanced for night-vision would be like as a new model. Imagine the things we would see if we reversed from street lights everywhere, shifting away from cables to power plants, and went towards a more generally sustainable/resilient goal of localized power and night vision. Imagine driving without the distraction of headlights at night, with an ability to see anyway, as military drivers around the world have been trained…

I’ll leave it at that for now. So there you have a few thoughts on humanitarian crisis, not entirely complete, spurred by a comment by Turing. As I said earlier, if you are working at Mandiant or Crowdstrike please think carefully about his story. Thanks for reading.

Have you heard the story about a drone that crashed into the White House yard?

Wired has done a follow-up story, drawing from a conference to discuss drone risks.

The conference was open to civilians, but explicitly closed to the press. One attendee described it as an eye-opener.

Laughably Wired seems to quote just one anonymous attendee, perhaps as payback for lack of access to attend the event. Who was this sole voice and why leave them anonymous? What made it an eye-opener?

In my conference talks for the past few years I explicitly mentioned attacks on auto-auto (self-driving cars) based on our fiddling with drones.

Perhaps we are not getting much attention, despite doing our best to open eyes. Instead of some really scary stuff the Wired perspective looks only at a very limited and tired example.

But the most striking visual aid was on an exhibit table outside the auditorium, where a buffet of low-cost drones had been converted into simulated flying bombs. One quadcopter, strapped to 3 pounds of inert explosive, was a DJI Phantom 2, a newer version of the very drone that would land at the White House the next week.

Surely a flying bomb is not the most striking (pun intended?) visual aid. I would be happy to give any journalist multiple reasons why a kamikaze does not present the most difficult problem to solve.

On the scale of things I would want to build defenses against, their most striking example seems already within reach. There are far more interesting ones, which is why I have been giving presentations on the risks and what defenders could do to about them (Blackhat, CONFidence).

We also have tweeted about taking over the skyjack drone by manipulating its attack script flaw, essentially a mistake in radio logic. A drone on autopilot using a mapped GPS would be straightforward to defeat, which we also have had some fun discussions about, at least in terms of ships (flying in water, get it?). And then there is Lidar jamming…

Anyway back in April of 2014 I had tweeted about DJI drone controls and no waypoint zones. The drone company was expressing a clear global need to steer clear of airports. Thought I should call attention to our 2014 research and this detail as soon as I saw the White House news so I replied to some tweets.

Nine retweets!? Either I was having a good day or the White House raises people’s attention level. Maybe we can blow off all our talking about this in the past because someone just flew a drone into the wrong yard. It’s a whole new ballgame of awareness. While the White House drone incident could cause a backlash on drone manufacturers for lack of zone controls, the incident also brings a much needed inflection point at the highest and broadest levels, which is long overdue.

Our culture tends to leave the market to harm the average person because let them figure it out. Once a top-dog, a celebrity with everything, is harmed or threatened then things get real. It is like we say “if they can’t defend, no one could” and so the regulatory wheels start to spin.

An incident with zero impact that can raise awareness sounds great to me. As I explained to a FCC Commissioner last year, American regulation is driven by celebrity events. This one was pretty close and may get us some good discussion points. That is why I see this incident finally bringing together at least three phases of drone enthusiast. Fresh and new people will be stepping into the ring to tinker and offer innovative solutions; old military and scientific establishment folks (albeit with some VIP nonsense and closed-door snafus) will come out of the woodwork to ask for a place in the market; and of course those who have been fiddling away for a while without much notice will take a deep-breath, write a blog post and wonder who will read it this time.

Three drone enthusiast profiles

Last year I sauntered into a night-time drone meetup in San Francisco. It was sponsored by a high-powered east-coast pseudo-governance organization. And when I say drone meetup, I am not just talking about the lobbyist drone in fancy clothes who talked about bringing “community” closer to the defense industry “shared-objectives” (“you are getting very sleepy”). I am talking about a room stuffed with people interested in pushing technology boundaries, mostly in the air. Several observations about that meetup I would like to share here. Roughly speaking I found the audience fit into these interest levels:

• Profile 1: The hobbyist Easily annoyed by thinking about risks, the hobbyist is typical attendee in technology meetups. Some people look at the clouds above the picnic, some look at the ants. These new technology meetups almost always are filled with cloud watchers who don’t want to worry. Hobbyists would ask “what do you pilot”. I would reply “Sorry, not here to pilot, I study how to remove drones, drop them from the air”. This went over like a lead balloon. You could sense the deflation in mood. When asked “why would anyone want to do that” my response was “Nothing concrete yet. So many possible reasons a drone could be a threat.” Rather than why, I want to know how and I told people “when the day comes someone needs a drone stopped, I would like to avoid panic about how.” Hobbyists have amazing ideas about drones changing the world for the better; someone needs to ask them “why” and “is that safe” at strategic points in the conversation.
• Profile 2: The professional/pilot Swapping stories about success and failures, this group was jaded by reality. A gold-mine of lessons not widely shared was available to those willing to ask. A favorite story was from someone who built gas-leak sensor drones “too accurate” to be used. A power company (PG&E) was forced to admit their sensors (mostly manual, staff in vehicles) were dangerously out-dated and wrong. The quality gap opened was so large PG&E became angry and tried to kill his drone program. Another great story was mines laser-mapped by drones. Software stitched together drone photos and maps, using cloud compute clusters, then enhanced with environmental details. New business models were being explored because drones could inexpensively create replica worlds; gaming companies and architects were target markets. Want to see how an underground restaurant concept looks at 5:30PM as the sun sets, or with a morning rain-storm? Click, click you can walk through virtual reality courtesy of drones. Another story was pure surveillance, although told as “tourism”. Go to a famous monument, pull out your pocket drone, launch it and quickly take a few thousand pictures; now you have a perfect 3D model. Statues, machines, buildings…the drone comes back with data you download to process into a perfect model of anything the drone can “see” on its little vacation. Since this story was told last year I have to also point out newer drones are faster; process data in real-time as they fly instead of after a download.
• Profile 3: The lobbyist The lobbyist bridges reality of risks with promise of new sales. There is some belief that the military is light-years ahead of hobbyists and professionals in drone-building and flying. Been there done that, a business model (selling to the government) was solid and their engineers want to rule the technology leadership roost into the next business models. However they also openly admit the military-industrial-complex has become so used to handouts they fear missing the boat on consumer desire. A flood of new talent was scooping up drone kits and toys, which looked like it could dwarf the military-industrial market. Thus synergies and collaborations are hoped to license military tech to professionals, who will tell the stories that hobbyists get excited about.

You could smell a three-way collision (at least, maybe more) brewing and bubbling. Yet the three groups stood apart as distinct. Political stakes were increasing: money and ideas starting to flow, old power worried about disruption, seasoned vets gave guidance on where to go with the technology and new horizons. It just didn’t seem quite yet the time for collaboration, let alone getting a security discussion going across all three groups.

Bringing Profiles Together

Going way, way back, I remember as a child when my grandfather handed me a drone he had built (mostly ruined, actually, but let’s just pretend he made it better). Having a grandfather who built drones did not seem all that special. Model trains, airplanes, boats…all that I figured to be the purview of old people fascinated with making big technology smaller so they could play with it. Kind of like the bonzai thing, I guess, where you think it’s something everyone would do when in fact very few can keep the damn thing alive.

Fast-forward to today and I realize my grandfather’s peculiar interest in drones might have been a little exceptional. Today groups everywhere are growing consistently larger and newly discovering use for drones. If I drew a Venn diagram the circles would seem separate and distinct from each other; where drones simply are not part of everyday life yet, unlike technology such as glasses (the better to see you with). Roombas aside, my theory is the future looks incredibly bright if people can start thinking together about ethics and politics in the bigger drone picture, including risks.

Speaking of going back in time to understand the future, in 2013 I found my long-time drone interests leading into tweets useful at work for an infrastructure/operations giant. Could this be a model of convergence? I thought Twitter might help with converging risk discussions into after-hours meetups, like talking about the forward-thinking people in Iowa demanding no-drone zones.

Clearly my humor did not win anyone’s attention. Not a single retweet or favorite. Crickets.

It also may just be that Twitter sucks as a platform and I have no followers. That’s probably why I’m back to blogging again more. Does anyone find Tweets conducive to real conversation? The best Twitter seems to do for me is to shift conversation by allowing me to throw a fact in here or there, like I sit quietly with my remote Twitter control, every so often dropping stones into the Twitter pond.

When a news story broke in 2013 I had to jump in and say “hey, cool Amazon hobbyist (new) story and I think you could be overlooking a FedEx lobbyist (old) story”.

I was poking around some loopholes too, wondering whether the drones over SF could have a get-out-of-jail card if we wanted to take them down.

Kudos to Sina and Jack for the conversation. My tweets were at least reaching two or three people at this point.

And as anti-drone laws were popping up I occasionally would mention my research in public. Alaska wanted a law to make sure hunters could not use drones for unfair advantage.

Such a rule seemed ironic, considering how guns have made killing a “sport” nearly anyone can “play”. A completely unbalanced and technology-laden air/ground/sea attack strategy on nature was common talk, at least when I was in Alaska. Anyway someone thought drones were taking an already automated sport of killing too far.

Illinois took the opposite approach to Alaska. Someone saw drones as potential interference to those out for a killing.

By April of 2014 I had built up a fair amount of detail on no-fly zones and strategies. We ran drones for testing and anti-drone antenna prototypes were being discussed. I gave myself a challenge: get a talk accepted and then publish an anti-drone device, similar to anti-aircraft, for the hobbyist or average home user.

Here’s a good picture of where I was coming from on this idea. One of the top drone manufacturers told me their drones were absolutely not going to stray into no-fly zones. What if they did anyway? Ethics were easy in this space of unauthorized entry. A system to respond seemed most clearly justified and desired.

Haha. “No-way points” get it? No? That’s ok, no one did. Not a single re-tweet or favorite for that map.

The point wasn’t completely lost on people, however. A little exposure meant I was called in for a short Loopcast episode, called Drone Hacking, which I suppose some people might have heard. The counter says 162,000 plays so far, which seems impossible to me. Maybe some of those numbers are from drones?

Anyway my big plan to release our research at a conference was knocked down when the Infiltrate popular voting system denied us a spot. We were going to show how we immediately, and I mean immediately, found a way to skyjack the Skyjack drones; it was a talk about general command and control strategy, redirection, ground-to-air, air-to-air and all kinds of fun stuff.

Denied by peers.

I resubmitted the same ideas to CanSecWest.

Denied by review board.

This pretty-much shelved my excitement to explain more details, e.g. those obvious bugs in SkyJack code (not picked up by any news but at least credited by Samy when we reported it to him), and why insecure WiFi and services leave options for self-defense wide open:

Kind of obvious what’s wrong here; security is most sensational when addressed at a low-level using basic stuff. Begs the question of how and when exactly to cross-over the discussion from infosec/safety flaws into hobby or even professional forums. I confess I made a mistake. My focus has been more on what to do about larger picture issues, because I argue the individual sensor flaws go without saying.

Yet I have to face reality that the “flaws” audience, the people looking for ants, still may be the only place to talk about dropping drones out of the sky. Others will dismiss the topic until a serious, celebrity or White House level, event occurs. In my mind that is too late…

At last year’s EMCworld a guy on my staff was fully dedicated to drone safety tests — he was achieving real pilot skills by the time we ran public demos — still our safety research wasn’t detailed by any news source. Timing felt early, as if journalists were apprehensive to the story and the groups mentioned above too separate to generate a nice broad general audience piece.

So while the conference was explicitly open to the press we had the opposite of major celebrity-level disaster (we we told not to crash a hobby drone into the crowd, despite it raising our chances for attention). Our 30,000 person infrastructure/operations audience seemed to lack interest in any presentation on responses to evil drones. An attempt to cross-over just turned into people asking if they could take home the drones as a conference prize. Thus we auctioned our four test units at the end of the show and management patted us on the back for quiet success. Ooops. Maybe we can do better getting the right kind of attention this year before real damage is done.