Wednesday 28 July 2010

Not my network

I know there's a balance between security and usability and that balance is called Usable Security (or hcisec for the acronym geeks). If done wrong, a product can be usable or secure, if done right, it can be both.

One good way to make a product more secure is to offer the user only secure choices, or at least make the less secure ones hard to choose. A stupid way to execute this guideline is to "dumb down" the product enough so that the user can't go wrong. I found such a lack-of-features today, with Windows 7.

I work as a "sysadmin on wheels", which is to say i travel between customers -- either physically or over the wire -- and take care of their computing infrastructure. I often need to connect my computer to the customers' networks. Windows 7 (and Vista) has realized this with their Network Locations "Work", "Home" and "Public". When Windows connects to a hitherto unknown network, a dialog box pops up, prompting me to set the appropriate Location for that network, with some help text. This is, of course, an improvement from the "one rule set to rule them all" mindset, and a considerable improvement from the old days of XP when Windows came with no firewall at all.

But here i am on a customer network. It is a work network, but it is not my work's network. This means that i need to be able to discover "professional" windows infrastructure services and computers, but it doesn't mean that i trust the network enough that i'd want it to find me. Or put in a more mild scenario, i would not want my customers' network to believe they have an unknown computer on their net. I for one would be freaked out if it did, and in all effect, i am the netadmin of that network, who should get freaked out.

So thus, i am hoping to find an extension to Windows 7's firewall profiles, the Customer location. And it may be that Windows has thought of this already.

Windows has something called "Windows Firewall with Advanced Security" and i know it talks about the Profiles "domain", "private" and "public". According to an article on 4sysops, these do not map 1:1 to the network Locations work, home and public which you can set from the for-mortals interface i mentioned earlier. Whereas the public profile is equivalent to the public location, the private profile maps to the home and work profiles, and the domain profile is "when a domain-joined workstation detects a domain controller". Which is nice. Now the Work location really may mean a work network and Windows will automagically realize whether it's my work network. But shouldn't there be some difference between a customer network and a home network.

I guess i need to think about that.

Now back to work.

Thursday 15 July 2010

Greetings from the big blue room

These last five weeks i've been mosltly outside, and while i've been connected to the Internet, i haven't really been connected with it. And i could write more about it but as i'm still on vacation until the end of this week, i won't :)

No, wait, that's not right (except for the vacation bit, that one's true). It's true that i have not checked work email or been connected to the work network more than once, and i haven't spent vacation time tied do a desk. But i have used the 'net and in fact rather frequently. I've checked the weather on the road. I watched a classic sci-fi  flick from my TVkaista account in a hotel. I've spat out irrelevancies on Facebook and on Twitter. And i've observed that i've received mail and ignored most of it. I've played music with Spotify for my kids, watched some Manu Chao clips with my son on YouTube...

So yes, i have been connected with the Internet, even though it's been mostly as a consumer. But it's been good to have it around.