Tag Archives: security

apps on the network

{This started as a Disqus reply to Eric’s post. Then I realized blog comments shouldn’t be longer than the original post 🙂 }

The app-on-network concept is fascinating: and one I think I’ve thought about previously, too.

Hypothetically, all “social networks” should have the same connections: yet there’s dozens upon dozens (I use at least 4 – probably more, but I don’t realize it). And some folks push the same content to all of them, while others (including, generally, myself) try to target our shares and such to specific locations (perhaps driving some items to multiple places with tools like IFTTT).

Google’s mistake with Google+ was thinking they needed to “beat” Facebook: that’s not going to happen. As Paul Graham notes:

“If you want to take on a problem as big as the ones I’ve discussed, don’t make a direct frontal attack on it. Don’t say, for example, that you’re going to replace email. If you do that you raise too many expectations…Maybe it’s a bad idea to have really big ambitions initially, because the bigger your ambition, the longer it’s going to take, and the further you project into the future, the more likely you’ll get it wrong…the way to use these big ideas is not to try to identify a precise point in the future and then ask yourself how to get from here to there, like the popular image of a visionary.”

That’s where folks who get called things like The Idea Guy™ go awry: instead of asking questions, you try to come up with ideas – like these 999. And if you can’t/don’t, you think you’ve failed.

Social networks should be places where our actual social interactions can be modeled effectively. Yet they turn into popularity contests. And bitch fests. And rant centers. Since they tend towards the asymmetric end of communication, they become fire-and-forget locales, or places where we feel the incessant need to be right. All the time. (Add services like Klout and Kred, and it gets even worse.)

I would love to see a universal, portable, open network like the one Eric describes. All the applications we think run on social networks (like Farmville) don’t. They run on top of another app which runs on “the network”.

Layers on layers leads to the age-old problem of too many standards, and crazy amounts of abstraction. Peeling-back the layers of the apps atop the network could instead give us the chance to have a singular network where types of connections could be tagged (work, fun, school, family, etc, etc – the aspect of G+ that everyone likes most: “circles”). Then the app takes you to the right subset of your network.

Of course – this all leads to a massive problem: security.

If there is only One True Social Network, we all end up entrusting everything we put there to be “safe”. And while some of still follow the old internet mantra, “if you wouldn’t put it on a billboard, don’t put it on a website,” the vast majority of people – seemingly especially those raised coincident to technology’s ubiquitization – think that if they put it somewhere “safe” (like Facebook), that it should be “private”.

After all, the One True Social Network would also be a social engineer’s or identity thief’s Holy Grail – the subversive access to all  of someone’s personal information would be their nirvana.

And that, I think, is the crux of the matter: regardless of what network (or, to use Eric’s terminology, what app-atop-the-network) we use, privacy, safety, and security are all forefront problems.

Solve THAT, and you solve everything.

Or maybe you just decide privacy/security doesn’t matter, and make it all public.

integrisure – the business that never was

For a long time I have been interested in real, actual, legitimate security. I am not a fan of the widespread use of security theater in our “post-9/11 world”, as Bruce Schneier calls it.

Integrisure was supposed to be a real-world pentesting of “secure” facilities, a la Sneakers. In late 2000 / early 2001, I was working on a business plan and the initial legwork to find out what licensing, certificationss, etc I would need to do security testing at locations like airports.

Integrisure never happened. You can’t google it (well, ok – you can google it now: but you’ll only find this blog post and a bunch of unrelated businesses).

The basic business plan was as follows:

  • establish contacts among management and security directors at various business and government facilities
  • establish time ranges when we can arrive onsite
  • using a team of known, documented, anonymous-looking individuals, find holes in security environments
  • using always non-destructive means, attempt to tail-gate, leave “suspicious” items in conspicuous and inconspicuous locations, gain access to authorized zones, etc
  • have plausible stories pre-built if anyone was “caught”
  • report the results of our simulated attack, including all positives as well as issues, and provide consulting to our client “target” on how they could improve their physical security

More detailed aspects of the planned business were discussed, and written down, between myself and a couple of other folks who wanted to start with me.

We had a start date planned: we would form the company in Jan 2002 (so our fiscal year would align with the calendar year). We had several initial employee/contractors identified – some current or former military members, technical folks, and others.

I had even contacted a couple local companies that did security guard services to see if this was something they would either like to offer as a service, or would help participate in coordinating with their contacts.

Life was looking good. I graduated in May 2001 with my AAS, had some solid job prospects in computer programming and IT work, and was lining-up who I expected would be a great team to start Integrisure’s activities.

Then 9/11 happened.

Airport “security” was federalized, my two front-running programming/IT jobs went on hold and/or laid people off (most of their customers were in downtown Manhattan), and suddenly private companies checking for holes in security were not going to fly. (Especially at airports! 🙂 )

after “the cloud”

Cloud computing has been hyped for the last decade+.

For those few of you haven’t heard of it and understand it, cloud computing is a computing-as-a-utility concept wherein compute (and storage) happens on systems which you may not own. That’s it.

So – now that we’ve been offloading our storage, computing, and other tasks to others in an on-demand manner, what is next?

When computing started, it was centralized, you worked on terminals (that communicated right back to the central machine), and did not “own” any of the work at your local work station.

Then we moved into the PC era where computing was done locally, and we only saved data to a server if “we wanted to be backed up”.

Now we’re moving back into a centralized (and distributed at the same time) computing environment where we can access the same document on our iPad and laptop and twelve other people can see it at the same time, too (eg Google Docs).

We are moving more and more toward ubiquitous computing – smartphones, tablets, laptops, PCs, servers, cars, everything we own is becoming computing-aware (also related: the “internet of things“).

What’s going to come after the cloud hype dies out and we’re back to “business as usual”? Well, other than some as-yet-unnamed term becoming the hot topic du jour – nothing. Computing hasn’t changed in the last 50 years except to become faster, smaller, and more prevalent.

Where computing happens will always depend on the given job at hand – we will centralize when it makes sense, we will distribute when it makes sense, and we will localize when it makes sense.

The real concern for the next decade is data security and integrity. It doesn’t matter where you store your data, or how you process it: if you cannot rely on its accuracy, integrity, and safety, it’s just so much noise.

If you can’t access it when you want need, you’ve already lost.

establishing a data haven cloud

In Neal Stephenson’s seminal book, Cryptonomicon, he describes the creation of a “data haven” in the fictional Sultanate of Kinakuta.

Why has no-one started building such a service (or, at least not in a public way) on existing cloud services (eg AWS or Rackspace) and/or create their own global network?

Data backup and replication is not “difficult” – and neither is the concept of distributed (and replicated) storage (LeftHand Networks was doing RAID-over-LAN a while before HP bought them).

So – why is this not available as a service to which you can subscribe (or use anonymously)? Incorporating in a ‘friendly’ country, offering anonymized connections (fully encrypted, etc), and giving a client that works a la Dropbox or Box.com.

There should be lots of companies who would love to offer a service like this – it should be fairly lucrative, and pretty easy to setup.