y hometown in rural Alabama was a place where the level of trust was extremely high. I cannot remember a time during my childhood when the door to our house was locked, except maybe when we went on an extended vacation.
Perhaps that was just a tradition peculiar to our part of the USA in the 1950’s. However, one thing is sure: times have changed and trust has been shattered on many levels. After two car thefts and a house break-in, I tend to be more suspicious and much more eager to lock things up.
A recent trip to New York City reminded me of the many people from all over the world who have immigrated to the United States over the years. As I looked from the top of the Empire State Building across lower Manhattan to the Statue of Liberty and the former immigration center on nearby Ellis Island, I had to look past the empty hole where the World Trade Center Twin Towers once stood.
Suddenly, I was filled with some very uncomfortable feelings. It was a strange mixture of trust (welcome to America!) and mistrust (do you intend to harm us?). While most Americans still believe in the ideal of welcoming visitors and potential new citizens from around the world, we are naturally more suspicious these days. We tentatively hold out our hands of friendship to our visitors while looking them over with squinty-eyed skepticism. It’s an interesting balance.
Is There a Place for Trust?
How do you balance trust and skepticism when it comes to software development? How many layers of protection should you design into your user interface, business objects, and data objects? How do you protect the sensitive data of your business and its customers, especially when you have a public Internet site? Wishing and hoping are not sufficient to properly secure a system.
We cannot afford to assume anything about the actions our users will take, either in error or with malicious intent. For example, how carefully does your Web application check the URL parameters it receives? Do you screen the incoming information or just blindly process it, expecting the best?
During my recent interview with Steve Lipner (elsewhere in this issue), I learned about the massive retrenching and retraining that began early this year and continues today at Microsoft as the company attempts to re-evaluate everything about their products and platform from a security perspective.
Be sure to check out Michael Howard’s article in this issue, which introduces the concept of threat modeling. These principles have been given a high priority in Redmond during their retraining effort and you can benefit greatly from them.
Have You Checked Your Wireless Network Lately?
Have you carefully thought about the security implications of that wireless access point you recently hooked up at home so you could use your laptop all over the house? Since they are so easy to set up with default settings that rarely include encryption, many people may be hosting their neighbors’ laptops without knowing it. Or, worse, your neighbors may be checking out those unprotected shares on your system.
“I don’t have unprotected shares, you say,” but don’t you remember that time you shared drive C “temporarily” to copy files from one machine to another? Better go check it out right now.
OK, so maybe you trust your neighbors, but I heard some real horror stories during a wireless security panel discussion at the COMDEX Atlanta show in September. It seems that despite warnings of job loss for setting up unauthorized wireless equipment, a major computer manufacturer recently found over 50 convenience access points scattered throughout their facilities, most of which were wide open to anyone probing from the outside.
Another person in the meeting asked if it was legal to investigate the dozen or so access points that exist in his shared office building. How far can you go as you look for evidence of breaches of your own network?
On the exhibit hall floor at COMDEX I found over 20 wireless networks, in addition to the official show network that I was authorized to use. I confess that I didn’t try to access the others, but I’ve wondered then if I could have seen anything interesting. You’d expect that all of those access points used by exhibitors were protected since they are computer companies and they should know better than to leave them open. Just like your home network, right?
I think we’re all going to get hooked on wireless before long as more and more access points show up at places we enjoy. For me, that’s Starbucks, and most locations I have checked in recent travels all have the T-Mobile wireless service available. Of course, I had to set up an account with T-Mobile (formerly VoiceStream), but now I can get a high speed connection anywhere in the country while enjoying a Caramel Macchiatto. For extra security I always connect over the Internet to CoDe Magazine’s VPN, and, yes, I have protected that share on drive C.
Have We Earned Your Trust Yet?
You, our readers, are very important to us and we’d like to know how we are doing. As we continue to expand the magazine over the next year and add more and more top developers to our list of writers and columnists, we would appreciate hearing what you think of CoDe Magazine.
A recent survey of new paid subscribers revealed that most of you are already beginning to use .NET technologies while others are still using other, earlier development tools. It is also obvious that most of you are not single-language developers, but are conversant with a variety of tools and technologies. That’s just the way it is these days, and we will be here to help you by covering Microsoft technologies as in-depth and practically as possible.
If you will honor us with your trust by subscribing or continuing to buy at the newsstand, you can rest assured that we will keep working hard to become “Your Favorite Magazine.”
