« Can Open Source be giving comfort to the enemy? | Main | UAV image processing with Pict'Earth »

September 06, 2007

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341bfb6353ef00e54eed42da8834

Listed below are links to weblogs that reference The Black Wire and the White Wire:

Comments

Sean

I work from home my laptop for work is banned from skype, e-bay, messenger, firefox, itunes, google toolbar, slacker.com, facebook, any web mail or downloads of any kind.


ZOverLord

MyToGo for Skype allows ANY Phone to gain access to Skype calling services, this includes calling Skype Names for FREE, checking Skype Voice Mail for FREE as well as using Skype rates for both local and long distance calling, and does not require any software to be installed on the phone. MyToGo for Skype is FREE as well, for more information please go here:

http://www.testing.onlytherightanswers.com/modules.php?name=News&file=article&sid=58

Bob Calder

K12 schools have a three-sided problem. First business security, second student security, the third being freedom to learn which includes Second Life and whatnot.

My own Science and Society oriented course includes plenty of content creation. It is truly unfortunate that we must sneak to participate in online life. Yes, it gives a flavour of excitement but it makes recognition impossible. :-(

Brad Garland

Wow, great post. Simple yet powerful point. I think I need to expand on your thoughts and how they apply to my field, banking. Thanks for the insight!

Tim

Sorry, I can't agree. Given the rapid move to SaaS models for mission critical enterprise applications, it's only a matter of time before corporate IT departments will no longer be able to justify a two network approach. There are many examples of "cool web stuff" out there in all of what you've defined as the "traditional core software" (just look at salesforce.com and success factors). The resistance in corporate IT departments to SaaS has to do with control and job security concerns, not economics or electronic security concerns.

Ed

This approach is completely wrong from a security point of view.

You connect to the internet with the unfiltered cable and get exploited. Then you connect to the internal network and spread the problem inside.

It's like having a laptop user who keeps travelling and use unsafe networks. Letting him connect to the internat network is not a good idea. Check Wikipedia for "DMZ".

Julian Elve

Have to agree with Ed about the risk of your laptop being a vector for malware entering the company network.

Completely agree with the frustrations though, and the idea of different network zones for different things - you might want to check out the work being done by the Jericho Forum, an industry grouping looking specifically network de-perimeterisation (ugly word!)

In essence the way to increase flexibility is to stop assuming that any network (including the internal one) can be trusted, and move the trust decisions (and trust-increasing actions) to the end points - for example by hardening the PC.

Vincent Schonau

I'd say this is mostly a response to IT departments that are having trouble explaining their security policies to end-users; or perhaps are being overly restrictive.

A good network security policy doesn't restrict users from the applications they want or need to use, but provides them with ways to use those applications safely.

As has apparently happend in Chris' office; when the security policy becomes too restrictive, or the IT department can't adapt, users or (and even their local IT staff!) will end up working around them. This usually creates an even more insecure situation.

Balancing security and usefulness is hard. In this example, usefulness has been sacrified, and security ends up suffering. I'd be really disappointed if we'd have to concede that the network can't be both useful and secure.

Chris Anderson

Ed, Julian,

What??! This is a *laptop*, like half the computers in our office. They're all meant to be taken outside the office, to home, hotel rooms, EVDO etc. Of course it's going to be connected to insecure networks. All the firewalls and filters have to be internal, or the risks you describe would kick in the first time it was used on WiFi at Starbucks.

Think of my White Wire as going down to the Starbucks at the corner or connecting on my EVDO connection. From a security perspective there's no difference.

Surely you don't think it's realistic to ban laptops from the workplace, do you?

Chris

Scott Chapin

This week's TechNation interview with Ron Levy, CTO of BEA, provides some of Ron's insights into corporate security. The title is "CTO vs Timezones", but he talked more about security and recognizing that you can't block out new technologies than anything else.

http://itc.conversationsnetwork.org/series/technation.html

Kevin Kelly

Chris,

To finish your analysis you need to tell us what percent of the time you use the white plug and what percent the black?

BTW, this dual approach is exactly what the intelligence agencies use. One machine/network for secure internal use, and one for outside browsing. But this dual method drives the analysists crazy, because more of their work is outside and they can't integrate it.

Marcello Vena

Chris,

The real message, that IT serves both innovation and operations is a fundamental concept that cannot be stressed too much.

IT Security, as other issues (such as business continuity, disaster recovery, etc.), is certainly an important aspect.
However it is generally part of operation issues (expect if you are an innovative company that deals with security solutions!), so our security guys cannot pretend to address the whole topic just from the side of operation... as without innovation operations are short lived as well...

You know what we also do? Running two operating systems on our laptops... Linux for cool surfing and MS for the operations. But again this is "just" an implementation detail, how you do it. But the key message is what to do and the concept of ICT as backbone for innovation and operation is what matter really.

With "long-tailed" individuals a one sized corporate ICT policy can't obviously fit all....

And I do agree very much with the blurring of the difference between work and private life. If you realized this, you will notice that this adds even more challenges... Chris.. please "stay hungry and stay foolish"... (we all know whose sentence is this, don't we?) :-)

Marcello

Julian Elve

Chris

In response to http://www.thelongtail.com/the_long_tail/2007/09/the-black-wire-.html#comment-81931285

Yes, I get it's a laptop. The secure way to allow you to use this to connect to public networks is to harden the laptop - i.e. ensure there is up-to-date anti-malware running, install a software firewall with closely-controlled rules and use VPN from the public networks to get back in to your work stuff.

The secure way to use this to access the internet from a public network is to VPN tunnel over the internet back into your corporate systems, then out through your corporate internet connection to the internet. That way you benefit from your full-strength corporate firewalls, email filters etc. etc.

Depending on the value of your corporate information and the importance of what you need to do when you are "out and about", there may be a business case for allowing the laptop firewall to connect directly to the internet in a public location, but that is the start of opening up an attack hole - for example a trojan with a keylogger could sit dormant until it saw you were back on your corporate network and then start capturing internal "secrets"...

The whole thing is a maze, and although you may not believe it I'm one of those CIOs who is committed to opening up the boundaries - doing it securely is not easy...

regards

Julian

TJ McCue

Hi Chris,
Loved the book, love the blog. What's next in the Long Tail category for you? Is there some other post where you've answered this? When i was a columnist (short stint) for the Wall Street Journal -- i would have been begging to be the one to review your book and get a chance to talk for 15 minutes for quotes. Alas, i don't write for the Journal any more, but i still have a journalist heart and mind.

Kudos on the thoughts and ideas you share. Enjoyed the one on Lomborg and the one on the Iranian man who sent in his photo. I understand the struggle, but like the idea of embracing the individual. A pastor i know once told a great story about Lee Harvey Oswald and if just one person had shown that dejected and ridiculed man compassion and love and kindness, perhaps history could have been different. Over-simplistic, i know, but friendship and kindness go a long way.
TJ

TJ McCue

Oh, meant to ask -- are you still working on the Fortune 500 Business Blogging Wiki???

Adrian P.

What answers do you see for a company that won't even consider a two-network strategy (due to cost, due to desire for IT to retain tight control, etc)? I had to fight for a while to get access to blogs, and only finally gained it after a client asked us to quote pricing for advertising on them.
Same thing with MySpace, etc. Another client chose to go with a MySpace page, which was setup, and then couldn't be managed because I couldn't access it (social networking sites were filtered).
Then, the icing on the cake: the filtering service our company utilizes blocks me from Rent.com because, according to the filtering service, that is in the 'Adult' category...
Sorry, I guess I had no real point, just wanted to vent some steam (that doesn't make me a troll, does it?)

ikedi

Yeah just have to have all yourr computer security in place.

Chris

Like others stated the two network strategy is a double edged sword. By connecting to an external network and the the corporate network you are essentially bridging the networks and as stated by a few others here are now opening a hole were trojan horses, viruses and other malware can breech the corporate network.

I agree that blocking access to cool web stuff is inconvenient and the IT industry needs to come up with new practices that will safely allow access to these tools for corporate users. Unfortunately social networking sites and other cool web stuff often are the targets of exploits and if ports were left open on a corporate firewall to allow access them they are also opening the organization up to the potential for infection.

The problem really is the methods in which secure computing is conducted. It is intrusive to the end user and not always accurate. There needs to be new methods like another post here stated, such as hardening desktops and laptops and making sure a bullet proof antivirus and malware solution is deployed.

blooflame

I disagree with Tim above (ironically I have the same first name). It's not about job security and control of turf, for most of us who handle the IT / tech support duties at our companies. A lot of unrestrained, unvetted stuff can cause problems, from major to minor, and can reduce the stability of the environment. Our primary job duty is to ensure that you can get your job done every day, and that things work as you expect, every day; because when they don't you don't get work done, and the company loses money because of it. At the least, they pay you money for non-productive time; at the worst they lose customers and/or big money because of non-working order systems or whatever - when United can't make a reservation, the customer goes to Southwest for example. So, we're not trying to act like The Man and 'hold you down' - we're just trying to make life easy for you (and, admittedly, for us, because we don't love spending all day solving problems for frustrated, sometimes angry, people).

Chris Beall

I love the black/white cable metaphor. Unfortunately, in many organizations, the black cable reaches all the way inside the machine. My company has a new free software product, QlipBoard at www.qlipmedia.com, that lets you create multimedia email in seconds - great for support, contract reviews, all sorts of useful stuff - and it occasionally gets stuck behind obsolete versions of Flash that can't be upgraded because of IT policy, prohibitions on video attachments, etc.

It's ironic that digital technology, which generates near-infinite tails in the consumer world, is so scary and brittle that larger organizations feel compelled to retreat into a short-tailed shell, protected by black cables.

Alberto

Good afternoon Chris, respect for your brilliant work. I have a little story for you: I do consultancy work for the Italian Department of economic development. Lack of transparency is just about the main programme killer in development projects, which tend to fail to gather the necessary citizen support. And what do these guys do? They ban wi-fi, they firewall their system to half coma, they centralize absolutely everything so that you need to access the CIO just to create an email address. The result: people work from hotels, and if you need a project blog you just buy hosting from a commercial ISP, install Wordpress and outsource it to a 20-year-old. What's there to protect so jealously, I wonder. Economic stats are the taxpayer's anyway.

In a world where crowdsourcing and collaboration simply outperform closed groups in most fields, I suspect that classified data will simply get left behind, as people do all sort of cool stuff with the data that are pooled for everyone to play with. Have you tried plotting a chart of your time allocation between the two cables? In two years you might just be using the white one! If it's not dowloadable, it does not exist.

Sherry kughn

Hi, Chris,
I met your father recently at the Zoe Conference. I have a 22-year background in journalism, although not as extensive as your background. Just thought I'd check out your blog and see what kind of journalism you focused on -- business, one I've never done much work on. --Sherry Kughn

Comrade Smack

The problem with your setup, much like other setups, is the security risk of doing so. Malicious software could come in from the sandbox, which is then risking the business side.

Just a thought.

Steve Parker

We have an awful receptionist who stops the general public getting into our internal offices. It's a real nuisance. She has all sorts of outmoded ideas, like people needing to have appointments, asking for ID, just crazy.

I opened the firedoor, and let anybody in through that way. Competitors, customers, whoever. I don't know who they are, to be honest, I never ask. Half the time, I'm not even looking. They get to have a wander around our building if they want, though. It's much more modern and sociable.

Admittedly, Homeless Joe isn't quite the best at personal hygeine, and we might catch the occasional virus off him, but it'd be rude to ask him not to come in. We've got healthcare, so the company takes care of keeping viruses away, which means that we don't have to worry about it.

The CIO still has a problem with homeless Joe wandering around the Accounts department, job applicants swapping files around in HR, or our competitors listening in on boardroom meetings. They really need to get with it, this is the 21st century, we're sharing and collaborating. SecondLife is more important than "security"! If the Legal team don't want strangers wandering around their desks, they could always put up a sign, or something.

Does that sound alright, Chris? Hold on, it's barking mad, isn't it. It's a cracker's dream to find a computer connected to a modem and the internal network; you're kind enough to supply them with DSL! Fantastic. Security barriers are needed to protect the business. And they are best set up by security professionals, based on technical design, not by non-technical staff deciding that the company's security is too inconvenient, and should be discarded for his personal convenience.

If what you claim to have set up is true, I'd suggest that you delete this blog post ASAP before your boss finds out about it. It would be grounds for dismissal at just about any firm. Unfortunately for you, Google have already cached your confession.

Chris Anderson

Steve,

Very amusing comment. You think it's madness to allow computers to be connected to two networks, which I assume means that you think that everyone who works for a company should be required to use a VPN anytime they're away from the office, be it at home, a hotel or Starbucks (not just to access the company network, but for all Internet access). I do in fact know people who work for companies that have such a requirement, despite the effect it has on performance and flexibility. They're miserable.

The truth is that IT needs to become more flexible to accomodate the increasingly unpredictable and diverse places and ways that we work--not the reverse. If you're the kind of IT guy who wants all employees to make your job easier by only using computers the way you want them to, you're part of exactly the problem I'm talking about.

My sympathies for those who have to live under your rules.

-Chris

gifts for men

Normally their is a blue wire, the blk/wht wire should be for a lite kit. if you have a lite this can be hooked up to the wire if you have two wall switches on the wall 1 for the fan 1 for the lite. if you only have 1 wall switch the blk/wht should tie in with the blk wires with the lite kit. if you do not have a lite on your fan just cap it off and leave it.

The comments to this entry are closed.

Tidbits

The Long Tail by Chris Anderson

Notes and sources for the book

FREE was available in all digital forms--ebook, web book, and audiobook--for free shortly after the hardcover was published on July 7th. The ebook and web book were free for a limited time and limited to certain geographic regions as determined by each national publisher; the unabridged MP3 audiobook (get zip file here) will remain free forever, available in all regions.

Order the hardcover now!