Stephen Cobb's Personal Blog

Firewalls 1996 to 2008

January is aptly named after the two-faced god of gates and doors. It's a good month for looking both forwards and backwards. For example, if you look back 12 years in network security you might notice FireWallCon '96, an event orchestrated by the National Computer Security Association (NCSA later became ISCA Labs, was bought by Cybertrust, and is now part of Verizon, so ncsa.com no longer exists; but here is the conference listing in Risks Digest).

It is fairly safe to say that this was the first full-scale, commercial conference dedicated to firewalls and Internet security. Heck, it even had t-shirts, darned good ones at that; after 12 years I'm still wearing mine, shown at left.

And it is amazing to think it was that long ago. These days a sizable percentage of the population has at least an inkling of what the term firewall means in a computer context (as opposed to a building code context). Blockbuster movies and popular TV dramas use the phrase "getting through the firewall" in the expectation that most of the audience will know what it means.

Yet 12 years ago it was not unusual for IT professionals from big companies to be asking "What is a firewall?" and "Do we need one?" The buzz about firewalls built very rapidly from 1995 through 1996 and sales were brisk. I met several people at FireWallCon '96 who had bought a firewall for their company but weren't yet sure where they should put it.

Some organizations took a long time to figure that one out. I recall my colleagues and I putting on a firewall seminar for a very secret government agency three years later, during which it became clear that many of their IT people thought a router with access control lists was the same thing as a firewall. This was somewhat worrying, and puzzling when you consider the fact that one of the best early documents on firewalls was written by two gifted federal employees, John Wack and Lisa Carnahan (NIST Special Publication 800-10: Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls, December 1994). We drew on that document to create the NCSA Firewall Policy Guide, which enjoyed extensive world-wide distribution (NIST SP800-10 does not seem to appear anywhere in its original form, partly because it was superseded by the more complete SP800-41).

We now have firewalls everywhere, even on our personal computers. They haven't made us as comfortably secure as we'd like, but when properly configured and managed they are considerably more difficult to get through than some movies would have you believe.

Blog Beats Beeb on Boeing Blooper?

Sorry about the overly alliterative headline, but I couldn't help myself: My blog post about security "issues" related to the Boeing 787's airborne network apparently appeared three days before the story was reported by BBC News. (As far as the whacky headlines go, I am still trying to beat a London Sunday Times headline from back in the sixties, over a story about Japanese zipper manufacturers beating UK rivals: Jap Zips Zap Brits.)

And it was not really my blog post over the weekend that "beat" today's BBC News web site coverage of the Boeing 787, it was the Wired web site, which picked up the story very quickly, namely Kim Zetter on 01.04.08 stamped 7:30 PM. I blogged that story on 01.06.08 so I was a little slow. However, the BBC says the story was first reported by trade magazine Flight International (which is not one of those magazines that publishes its stories on the web, so I am not sure about that claim, although it could well be true--my father-in-law, a battle-tested Navy pilot from the days of prop planes--used to read FI religiously).

As to the blooper, I just got an email from a fellow CISSP containing just the kind of comment I predicted. He saw the story and said, with some sadness: "not surprised." He added: "If aerospace is integrating everything, then rational thought and consideration is failing even in that industry."

Not Surprising? Boeing 787 flight controls vulnerable to hacking (FAA)

You don't have to be a computer security expert to see the problem presented in this revelation, reported by Wired. Heck, your average Internet-using consumer can see the flaw in this:

"The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals."

Let us all take a moment to digest the staggering clue-less-ness of such a design.

But while this design flaw may come as a shock to consumers who know--from their own home networking and web surfing--that putting actual flight controls for a real airplane on, or anywhere near, the Internet is a really BAD idea, Boeing's decision to do so will not surprise seasoned security professionals. Why? Because we have learned that large organizations have a peculiar way of keeping their collective intelligence from being collective.

Consider the two very nice Boeing people I met in Paris in 2004...

Recommended Reading for Mark Zuckerberg: A free privacy primer

In yesterday's post about 2007 I made a somewhat light-hearted reference to the need for a 'back-to-basics' education in privacy. I also suggested that the Facebook Beacon privacy snafu might not be something other than a privacy ignorance indicator, namely, a calculated attempt to push the limits of user-acceptance of commercial of private data.

Well, the more I read about Facebook Ads, like the use of personal images by commercial advertisers, the more I wonder whether some people really did skip Privacy for Business Owners 101. On the face of it, pun intended, Facebook Ads comes close to violating several of these fundamental data privacy principles:

There must be no personal data record keeping systems whose existence is secret.

There must be a way for an individual to find out what information about him is in a record and how it is used.

There must be a way for an individual to prevent information about him that was obtained for one purpose being used or made available for other purposes without his consent.

There must be a way for an individual to correct or amend a record of identifiable information about him.

Any organization creating, maintaining, using, or disseminating records of identifiable personal data must assure the reliability of the data for their intended use and must take precautions to prevent misuse of the data.

And where did these principles come from? Some avant-garde, privacy-obsessed Scandanavian country? No, these are the basic privacy principles that were laid out by the U.S. government ten years before Mr. Zuckerman was born.

And if Mr. Zuckerman had taken Privacy 101 he would already know that the first U.S. legislation to consider privacy in the context of computers appeared after Elliot Richardson, who was Richard Nixon’s Secretary for Health, Education and Welfare, commissioned a study of record-keeping practices in the computer age. The resulting report, commonly known as the “HEW Report,” recommended the enactment of a federal “Code of Fair Information Practice” for all automated personal data systems. The code envisioned by HEW contained the above five principles that would be given legal effect as “safeguard requirements” for automated personal data systems. The Privacy Act of 1974 is embodied HEW principles in law, establishing protections for personal data held by the federal government.

Fortunately, both Mr. Zuckerman, and you, dear reader, can learn these and other fascinating facts about privacy for free. Just download the free electronic version of Privacy for Business available at www.privacyforbusiness.com. Who knows, they might just keep the FTC off your back and the feds out of your IT department.

So Long 2007! Reflections on computer security and data privacy

Well, it’s January 2008 and I’m a little late with my end-of-the-year reflections on information security and data privacy in 2007. Nevertheless, here’s my take on what I think were the three top trends/stories/developments. I think 2007 was the year:

of the criminal hack

of a new shift in privacy concern

of important new tools for data security

Happy New Year!

I'm phoning this in from the snow covered hills of mid-state New York, where the joys [and necessity] of snow-plowing with an ATV are being discovered. I hope everyone out there has a great oh eight!

(With a special thanks to Dana and Clem at the Rose & Kettle for crafting another great New Year's Eve event.)

Huckabee Versus Budweiser: Where's the media when you need them?

How many journalists are covering the Republican presidential candidates right now? Probably thousands. But how many have read what front-runner Mike Huckabee hath written? Apparently very few. For example I can't find anyone looking into his attack on Budweiser.

No, I'm not talking about dredging the distant past for lost sermons but a text he published last year: Character Makes a Difference: Where I'm From, Where I've Been, and What I Believe (Paperback, June, 2007).

The problem that Huckabee has with Budweiser is the way the company's advertisements play to the selfish nature of man, for according to Huckabee, "We are not basically good; rather, we are basically self-centered, look to ourselves first, and preserve ourselves first at all costs."

A lot of the Christmas shopping buzz this year has been about digital this and i-that. Unfortunately, a lot of these digital gizmos cost at least $100. Consider iphone and PSP and Wii and digital cameras, pdas, smart phones, and various mp3 players. Not much in this category for the under $50 crowd. But wait, what is that cool silhouette in the corner?

This is a very cool palm-size, hand-held gizmo that I found for under$30. It delivers a non-stop music stream or current news, for weeks on just 2 AA batteries, with no subscription fees. It has a built-in clock and an alarm and operates in multiple languages. It comes with cool ear buds plus a speaker that is actually built into the device, no external pieces or cables required. And the whole thing is totally wireless.

We got our order in on 11/24/07 and our unit arrived yesterday, 12/22/07. A bit of surprise because I got email from OLPC on 12/21/07 saying it would not arrive by 12/24/07. But hey, I'm not complaining. For more on shipping check out this blog.

The timing is a bit unfortunate because we are away for a few days and not there to enjoy it, but we have house sitters who promise to take good care of it until we return. Meanwhile, we can enjoy that warm glow of righteous giving all over the holidays, knowing that OLPC will be delivering our 'given' machine to children in either Afghanistan, Cambodia, Haiti, Mongolia or Rwanda. Yeah!

In the meantime, I am finding all sorts of XO resources popping up. There is One Laptop Per Child News. There is olpc dot com. And there is the OLPC Wiki. Puget Sound has perhaps the first XO User Group. I'm not rating these sites, yet, just listing them for you to check out.

OLPC Getting Closer

The excitement is mounting for people who placed an order for the XO under the "Buy-one-get-one" program, previously blogged here. Shipments are now rolling and the wonderful folks at One Laptop Per Child are working round the clock (is it too twee or non-PC to say they are working "like elves"?) to get as many machines as possible shipped to North American customers by the 25th of this month.

If the Fedex truck does not roll up with your XO by then, it will likely arrive shortly thereafter. And if you haven't ordered one yet, and Santa doesn't bring you one, the Give One Get One program is now open through December 31.

I plan to post my review as soon as mine arrives [or the eggnog haze clears, whichever comes later :-)]. In the meantime there is an extensive look at the XO on the blog of veteran LISP programmer Bill Clementson.