1994:

“Firewalls are a stop gap measure needed because many services are developed that operate either with poor security or no security at all.”
- Cheswick & Bellovin, “Repelling the Wily Hacker”

2006:

Firewalls are still needed.
Services still generally operate with either poor security or no security at all.
Services view firewalls as impediments to be routed around, and do so quite well.

Firewalls protect the network and, to a certain extent, services by limiting the amount of undesirable traffic reaching those services. But these days, they do very little to protect actual information.

The biggest threat to information is still people. While you can certainly reduce the population of the threat, all that perimeter firewalls do is limit the scope of the threat to employees, contractors, partners, outsourcers, separated employees whose VPN access was never deprovisioned, and the family members of anyone else with VPN access.

Just a little something to think about going into the weekend.

There is no better way to be un-findable than to name your company after a mis-spelling of a common word. If I can’t Google you pretty quickly, I’m probably going to assume you’re not worth paying attention to.

Case-in-point: Yesterday, I was told about a company called, “Avenue.” Today, I needed to reference it in a presentation. But it’s not spelled “Avenue,” it’s spelled, “avvenu.”

Lucky (or unlucky, as the case may be) for them, I cared enough to ask the person who mentioned it what the correct spelling was.

Unlucky as in, I’m using them as a Bad Example. They make an app which allows sharing of data between a directory on a PC and browser-capable devices, especially mobile devices (aka cell phones).

From their site:

With Avvenu, your mobile device gives you secure access to any document or image on your computer, whatever its size or file type. Avvenu automatically formats images to match the device you are using, so you get fast response time and convenient viewing. Since you’re linking directly to your computer, there’s no waiting for e-mail transfers or uploads. And, because there are no file-size restrictions, you can share that 50MB Powerpoint file, or even a whole folder of them.

So I’m expected to trust Avvenu to provide good authentication & authorization along with the set-up and tear-down of a peer-to-peer connections between my computer/data and a someone’s Web broswer.

Now if you feel, like me, that the biggest piece of the security problem is between the keyboard and the chair, then poor authentication becomes the least of my problems. I’m trying to fight both accidental and deliberate Intellectual Property leakage.

The last thing I need is a new file sharing mechanism which bypasses any controls I try to put in place and doesn’t even bother to clarify that “Share Folder” actually means, “Share entire sub-tree of folders.”

I wonder how long it will be before we get our first request to block this thing to prevent “any more similar incidents?”