|
Wednesday, November 20, 2002 |
Have we got contact, you and me?
We hosted a security working group of people from mostly midwestern schools on Monday and Tuesday. As new job starts go, having this back to back with Internet2 has given me a better introduction to peers at other institutions than I've ever had before.VPNs (Virtual Private Networks) are replacing firewalls as the silver bullet of security, and like firewalls they're a good idea but they don't fix everything. There was a brief mention of "Dreamcast, Phone Home", software for a Sega Dreamcast that lets you plug it into a protected network and have it sit there as a mole, listening to everything you do and phoning home with the information. It's a proof-of-concept device, not a completely pre-packaged hack, but it's quite cool. The point is that it's not that hard, in many corporations, to get into a building dressed as a deliveryperson, find an unprotected jack, and attach a small and fairly innocuous looking box to it (they point out that several new PDAs would also work, and provide a similar innocuous looking package). Who knows what all that stuff is in most buildings that's plugged in and tucked behind desks? Who even looks down there unless their pen rolls off their desk? But once it's there, many security measures are worthless, because they assume that the attack is coming from outside.
And on the subject of unprotected jacks, I'll be at a meeting tomorrow to look at the next round of protecting them at UW. Locking jacks is fairly easy; the hard part is letting authorized people use them afterwards, when "authorized" can include guests like the visiting security people from yesterday, the vendor reps who came demoed a system to us on Monday, all the visiting scientists in areas like high energy physics where research always involves travel; all the people paying big bucks to our business school for a week's course at their executive training center, and so on.
