
The Internet of Onions - azdle
https://lwn.net/SubscriberLink/695910/61948e743f7054ec/
======
drazvan
I'm actually working on something based on this idea - I've created a SIM card
for the Internet of Things - basically a smartcard (microSD form factor) that
offers a persistent crypto-secure identity for Internet-connected objects.

It works by holding the TOR hidden service private key inside a tamper-
resistant smartcard and generating/signing hidden service descriptors with it
(plus an entire mechanism to prevent you from signing future descriptors -
meaning that the identity is closely tied to the physical SIM card, just like
in the GSM world - whoever has the SIM has the identity, once you've removed
the SIM the identity goes with it).

Discussion at [https://lists.torproject.org/pipermail/tor-
dev/2016-June/011...](https://lists.torproject.org/pipermail/tor-
dev/2016-June/011134.html) \- I've made progress since that post, it's now
fully operational and tested, just need to figure out a way to turn it into a
product and get some funding for it.

~~~
ccallebs
I'm working on something that may be a complement to this. My email is in my
profile if you want to chat.

------
azdle
I work for a large IoT PaaS provider. Would this be valuable for customers on
our platform if we supported something like this? I'm trying to think through
all the problems with this and while I think the redesign of our platform will
actually make this harder, there's no reason it wouldn't be _possible_.

I also don't really understand how Tor works. Does this break anything like
persistent connections or letting screw up anything with using UDP over longer
time spans? (My other pet project is CoAP.)

I don't actually work on the products team, but I bet I could fight for
something like this. (Plus figuring this out would actually be fun rather than
the tedium that my real job has become.)

~~~
dsr_
Supporting Tor is a niche thing, but... it would be very very helpful if
everything in the IoT could be persuaded to go through a customer-controlled
local gateway, which could proxy, rate-limit, redirect, and firewall
connections according to the owner's policy.

Every device that reaches back to the mothership with a proprietary protocol
is another device which gets discarded when the mothership loses interest in
supporting it, and probably has major holes in it as well.

~~~
jerf
I'm not sure what you mean by "persuaded", since unless the IoT device has its
own cellular connection, it can't prevent being passed through a consumer-
controlled device. Do you have such a device right now that is being bypassed?
Because if the answer is no, that's your real problem.

~~~
TeMPOraL
The problem with IoT is that the 'I' expands to "Internet" instead of
"Intranet". A device should not be rendered useless because it can't connect
to manufacturer's servers. The cloud is a good value-add option, but should
_not_ be considered a primary and required element.

The other thing is that most of those devices are gimmicks, toys - a good
device intended to be useful should embrace interoperability - devices working
alone have only a fraction the of potential of devices working together[0].

As for bypassing your device, at some point a "clever" entrepreneur will
discover SSL and certificate pinning, and then you'll be SOL.

[0] - that's why e.g. I recently shelled out and got myself Hues. It's not the
cheapest option, but it's reliable, works perfectly well over LAN, has a
decent API exposing pretty much all possible functionality and then some over
said LAN, no cloud registration or other bullshit. Also I kind of trust
Phillips not to burn my house down with crappy manufacturing.

------
scaddison
Off topic ish, am I supposed to be able to read this without a subscription?

~~~
azdle
Yes, LWN has a feature that lets subscribers share a subscriber-only article
with non-subscribers. I think there should be a message on the page along the
lines of "A subscriber has made this available to you, would you like to
subscribe?"

~~~
corbet
There _is_ a message to that effect when non-subscribers read a sublinked
article like this. Sometimes with a trial offer. The occasional (occasional!)
posting of subscriber links is, I think, one of the best marketing tools we
have.

~~~
dredmorbius
Jon, I've been looking into a lot of elements of information goods, and there
are a few bits I'm coming to realise, slowly (it's only been 30 years I've
been studying this).

1\. Information is a public good. Nonrivalrous, only very difficultly
excludable. Strong positive externalities. Hal Varian's got a good piece on
this. Doesn't mean you _cannot_ sell it, but it means that doing _exclusively_
has serious negative effects.

2\. Free-sample giveaways are almost always an _excellent_ idea. John Dvorak's
recent "Whatever Happened to Wordstar" had an excellent illustration of this:

 _Worse, in 1985, the company produced Wordstar2000, a copy protected program
that was nothing like the older lovable Wordstar and which contained annoying
copy-protection features that scared most users away. While many pundits
including Esther Dyson predicted great things for Wordstar2000, users rejected
it. The product was big and slow and expensive. And despite complaints by the
company and others, people wanted software they could copy and use on more
than one machine. During this era piracy sold software and created market
share. People would use a bootleg copy of Wordstar and eventually buy a copy.
Wordstar may have been the most pirated software in the world, which in many
ways accounted for its success. (Software companies don’t like to admit to
this as a possibility.) Books for Wordstar sold like hot cakes and the authors
knew they were selling documentation for pirated copies of Wordstar. The
company itself should have just sold the documentation alone to increase
sales._

[http://www.dvorak.org/blog/whatever-happened-to-
wordstar-2/](http://www.dvorak.org/blog/whatever-happened-to-wordstar-2/)

3\. Corporate and foundation grants and sponsorships or support may be an
option. I've been following the Rockefeller Foundation's "100 and Change"
program with some interest -- the application process is structured to _also_
seek projects benefiting from other forms of support.

[http://www.nytimes.com/2016/06/03/us/macarthur-foundation-
wi...](http://www.nytimes.com/2016/06/03/us/macarthur-foundation-will-
award-100-million-for-solution-to-a-global-problem.html)

Food for thought.

