Epeus' epigone

Edifying exquisite equine entrapments

Saturday, 13 November 2010

Firesheep, enterprise software and other broken models

There has been a lot of fuss about FireSheep, a browser plugin that show how easy it is to intercept packets on the internet, and masquerade as someone else. The idea is nothing new: EtherPeg—which intercepts wifi traffic and shows the JPEGs and other images passing by—is over 10 years old. Annalee Newitz wrote a Wired story on people packet sniffing in coffee shops back in 2004.

The underlying design of the internet means that you don't know who will be able to see any packets you send. If you care about not being snooped on, you need an encrypted connection from your computer to the one serving you at the other end. The best way to do this on the web is to use HTTPS, which all browsers support, and most servers support with configuration changes. It's not perfect, but it's good enough.

However, much of the advice following on from FireSheep was misleading or outright wrong. I saw several articles saying:

  • Avoid Open WiFi
  • Turn on WPA encryption
  • Use a VPN to tunnel the traffic into a server elsewhere

These techniques may protect for a while against those nearby you in the Café, but by not securing the whole connection, they just change who is able to intercept your communications.

The security model here is the firewall one - the notion that there are trusted networks and untrusted networks, and as long as you're inside a trusted one, you'll be OK. This is an obsolete worldview. When computers were large fixed physical entities with software controlled by a specialist, and networks were wires under their control too, this had some correspondence with reality, but it was always tenuous - others within the firewall could be running compromised machines; outbound connections could still leak data.

If you VPN into a company or service to mask your outbound connections, that endpoint is an attractive point of attack, as it has collected a set of people who think their data needs securing. There's a clear example of this in this NYT article about a hacker who lured his friends to use an FBI VPN to track them down and arrest them.

This worldview connects with two other themes. The US Government is trying to pass a law requiring ISPs to enable your communications to be intercepted. The UK government is also working on legislation on retaining all email and web traffic. Similarly, many companies monitor internet traffic within and leaving their secure networks for legal compliance and employee monitoring. Such mandated backdoors, like the VPN tunnel, become attractive targets for other bad actors - remember the Greek government being spied on through a legally mandated interception backdoor in the phones they used?

This week, I spent a couple of days at the Enterprise 2.0 conference, hearing how open standards like Activity Streams and OpenSocial are being used to bridge separate business information systems both within and between companies, with OAuth used to enforce corporate policy.

This seems anathema to old-line IT managers who assume that they dictate who gets to see what, but the pragmatic realisation that many business people have more powerful and connected computing devices in their pockets as phones than on their desks from corporate IT was in evidence at E2.0 at least.

This brought to mind the great conversation we had with Josh Klein on TummelVision last week, discussing his book Hacking Work - breaking stupid rules for smart results:

one of the most common hacks we found: jumping IT’s firewall and working around their restrictions and tools in open computing environments, then bringing the work back over the firewall and presenting it to bosses as if the corporate tools had actually been used.

Ben Horowitz's article on enterprise sales in TechCrunch today tries to justify corporate practices, even as he recognizes the inversion of the innovation flow.

What this misses is the underlying economic justification for the existence of a corporation in the first place - the economic theories that build on Coase's work saying that firms exist because transaction costs are lower within them than external transactions mediated by the marketplaces. Pettifogging internal purchasing rules should be subject to this test: does the internal transaction cost of approving and purchasing something exceed the value of the thing being purchased?

Reading Ben's explanation of how corporate salespeople help institutions negotiate their own labyrinthine processes, I couldn't help but be reminded of John Hagel's Big Shift model, (also discussed on TummelVision), which continues to show a declining return on assets for corporations.

The challenge we have on the web is to maintain the kinds of open-to-all interoperable standards that empower us to work round these creaking bureaucracies. If we delegate our online identities to a few firms operating proprietary APIs, that they can revoke access to, or decide who can call them for reasons of corporate strategy, the lowered transaction costs suddenly get very high again.

Doc Searls's work on VRM (this week's TummelVision) is all about making sure that we can retain agency over our own information. I expect to discuss this in depth at Defrag next week.

Posted by Kevin Marks at 15:21 1 comment:
Labels: Activity Streams, enterprise, firewall, OpenSocial, Tummeling, TummelVision, VRM
Newer Posts Older Posts Home
Subscribe to: Posts (Atom)

This is my personal blog. Any views you read here are mine, and not my employers'.

Atom Feed

Support the Open Rights Group
My photoKevin Marks Me on Twitter
Me on G+

People's thoughts I read:

Daily

Rosie
San Jose Young People's Theatre
Dave Weinberger
Doc Searls
Gonzo Engaged
AKMA
Cory & friends
Denise Howell
Charles Wiltgen
Shelley Powers
James Lileks
Suw Charman
Halley Suitt

Weekly

Andrew Marks
Blogsisters
Arts & Letters Daily
Bricklin, Frankston & Reed
Steve Yost
Jeneane Sessum
Brian Micklethwait et al
Tom Matrullo
Gary Turner

Sporadically

Small Pieces
Stuart Cheshire
RageBoy
Nonzero
Neil Gaiman
Thomas Vincent
Brad deLong
Andrew Odlyzko
ProSUA

No to Mickey Mouse Computers

powered by blogger

Blog Archive

  • ►  2017 (2)
    • ►  May (1)
    • ►  April (1)
  • ►  2015 (7)
    • ►  November (2)
    • ►  May (3)
    • ►  April (1)
    • ►  January (1)
  • ►  2014 (3)
    • ►  October (1)
    • ►  April (2)
  • ►  2013 (5)
    • ►  June (1)
    • ►  May (1)
    • ►  April (2)
    • ►  March (1)
  • ►  2012 (8)
    • ►  December (1)
    • ►  May (1)
    • ►  April (1)
    • ►  March (1)
    • ►  January (4)
  • ►  2011 (11)
    • ►  December (1)
    • ►  November (1)
    • ►  September (2)
    • ►  August (2)
    • ►  July (1)
    • ►  April (2)
    • ►  January (2)
  • ▼  2010 (16)
    • ▼  November (1)
      • Firesheep, enterprise software and other broken mo...
    • ►  October (1)
    • ►  September (3)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (2)
    • ►  February (2)
    • ►  January (2)
  • ►  2009 (22)
    • ►  November (2)
    • ►  October (2)
    • ►  September (2)
    • ►  August (3)
    • ►  July (2)
    • ►  June (2)
    • ►  May (2)
    • ►  April (1)
    • ►  February (2)
    • ►  January (4)
  • ►  2008 (28)
    • ►  December (2)
    • ►  November (3)
    • ►  August (1)
    • ►  July (2)
    • ►  June (3)
    • ►  May (5)
    • ►  April (2)
    • ►  February (3)
    • ►  January (7)
  • ►  2007 (45)
    • ►  November (3)
    • ►  October (4)
    • ►  September (4)
    • ►  August (10)
    • ►  July (3)
    • ►  June (8)
    • ►  April (2)
    • ►  March (6)
    • ►  February (3)
    • ►  January (2)
  • ►  2006 (119)
    • ►  December (13)
    • ►  November (8)
    • ►  October (16)
    • ►  September (10)
    • ►  August (3)
    • ►  July (6)
    • ►  June (24)
    • ►  May (3)
    • ►  April (10)
    • ►  March (7)
    • ►  February (8)
    • ►  January (11)
  • ►  2005 (101)
    • ►  December (10)
    • ►  November (13)
    • ►  October (9)
    • ►  September (8)
    • ►  August (7)
    • ►  July (7)
    • ►  June (8)
    • ►  May (12)
    • ►  April (7)
    • ►  March (6)
    • ►  February (1)
    • ►  January (13)
  • ►  2004 (53)
    • ►  December (8)
    • ►  November (5)
    • ►  October (6)
    • ►  September (7)
    • ►  July (5)
    • ►  June (3)
    • ►  May (2)
    • ►  March (3)
    • ►  February (7)
    • ►  January (7)
  • ►  2003 (196)
    • ►  December (12)
    • ►  November (14)
    • ►  October (21)
    • ►  September (23)
    • ►  August (19)
    • ►  July (11)
    • ►  June (14)
    • ►  May (9)
    • ►  April (22)
    • ►  March (20)
    • ►  February (16)
    • ►  January (15)
  • ►  2002 (224)
    • ►  December (15)
    • ►  November (21)
    • ►  October (22)
    • ►  September (12)
    • ►  August (11)
    • ►  July (28)
    • ►  June (19)
    • ►  May (29)
    • ►  April (18)
    • ►  March (19)
    • ►  February (16)
    • ►  January (14)
  • ►  2001 (13)
    • ►  December (2)
    • ►  November (11)

About Me

My photo
Kevin Marks
Kevin Marks works on IndieWeb and open web tech. From 2011 to 2013 he was VP of Open Cloud Standards at Salesforce. From 2009 to 2010 he was VP of Web Services at BT. From 2007 to 2009, he worked at Google on OpenSocial. From 2003 to 2007 he was Principal Engineer at Technorati responsible for the spiders that make sense of the web and track millions of blogs daily. He has been inventing and innovating for over 25 years in emerging technologies where people, media and computers meet. Before joining Technorati, Kevin spent 5 years in the QuickTime Engineering team at Apple, building video capture and live streaming into OS X. He was a founder of The Multimedia Corporation in the UK, where he served as Production Manager and Executive Producer, shipping million-selling products and winning International awards. He has a Masters degree in Physics from Cambridge University and is a BBC-qualified Video Engineer. One of the driving forces behind microformats.org, he regularly speaks at conferences and symposia on emergent net technologies and their cultural impact.
View my complete profile