Software in the Walls: What Are Your Users Telling You?

Main     Elsewhere     The Week in CrossNodes

“Intertwingularity is not generally acknowledged, people keep pretending they can make things deeply hierarchical, categorizable and sequential when they can’t. Everything is deeply intertwingled.” – Ted Nelson

Early last week we ran an article about Zeroconf, an IETF standard moving toward completion. The promise of zeroconf is configuration-free network devices that can identify themselves to each other and peer up without administrative intervention.

Apple’s moved ahead with its own implementation of zeroconf, branded Rendezvous, which is turning up in more and more features of Apple’s OS X operating system: Users can run personal Web servers that advertise over Rendezvous; iChat (an AOL Instant Messenger client for Mac users) advertises user presence on local networks without needing to belong to a larger, external chat network; and in the next version of Mac OS X Server (10.4/Tiger), Rendezvous will likely drive weblogging and chat server software.

Network administrators have good reason to be mistrustful of something like zeroconf. Security is enough of an issue without users acquiring the ability to bypass the traditional constraints of network organization, and in an age of things like Sarbanes-Oxley, which mandate complete record-keeping where things like e-mail and chat conversations are concerned, ad hoc chat networks could prove problematic.

Developers have been busy leveraging Rendezvous, as well. The networked clipboard Spike allows users to drag and drop files into a window and advertise the presence of those files over the network without relying on the traditional mechanisms of “network drives” or “shared folders,” which can at least be periodically swept for malware or information that shouldn’t be made available outside select groups.

Similar implementations of the same basic idea include Rendezvous-driven post-it notes for computer desktops, games, and even collaborative text editors that do much to replace the “whiteboard” of bulkier IM setups.

One temptation is to ban this sort of technology because it’s a threat to the way we order our networks and IT infrastructures. It subverts our security models, limits our ability to control and monitor interactions, and makes the “rogue laptop” scenario, which already plays out daily in enterprise networks across the country, even more potentially problematic by introducing a class of software that seemingly “lives inside the walls” of our networks.

A response like that, though, denies us an opportunity to learn from our users. If they’re organizing themselves using software that’s subverting what we’ve provided them with, maybe it’s because what we’re giving them isn’t working for them. Maybe the corporate “messaging solution” is about as spontaneous and loose as a company picnic. Maybe, for as much as we work to make it less so, there’s too much friction between the nodes on our networks to allow those networks to be useful to our users.

Even among technology professionals, there’s a temptation to feel momentarily threatened by a new kind of tech, or a new approach to a problem we’ve already “solved,” but every change brings the opportunity to ask what we’re being told about the existing solutions we’re offering by the people using them.

Errata: Your Humble Editor Eats a Minor Amount of Crow

In last week’s edition we offered a collection of reasons for dumping Internet Explorer as soon as you can figure out how to migrate your users to Firefox. Here’s our list:

  • It doesn’t employ VBScript or ActiveX — two of IE’s worst liabilities
  • It doesn’t have hooks into the operating system at large — it runs in a relative sandbox
  • It blocks popups and can supress attempts to hide parts of the browser windows, often used to obfuscate Web site information during a phishing scam

We can still stand by all but one of those reasons, which is the second. It turns out Mozilla and Firefox do have something in the way of a hook into the operating system at large via the shell: scheme, which is means by which a Web page can call a program that’s not a plug-in to handle a particular kind of data. This particular scheme is problematic because, under Windows 2000 and XP, it can be used to run arbitrary programs or launch a midget denial of service attack on the user by causing the browser to attempt to open non-existent files on the user’s machine repeatedly.

Among a predictable bevvy of Mozilla defenders, two points have been raised:

The first is that the bug is less a matter of criminal sloth on the part of the Mozilla team than it is yet another problem introduced by the chaos that is Windows’ security model: Apple and Linux users are not affected. The second is that the Mozilla project responded to the problem and had a patch within 48 hours.

There will be debates around and around both assertions for the next few weeks, but the key takeaways are:

  1. No software is perfect.
  2. Responsiveness is the best remedy to that lack of perfection.

While we wish we hadn’t taken the Mozilla project’s word on the matter of Firefox’s inability to run code outside of its sandbox, we stand by our recommendation to make the move from IE as quick as is practical: Mozilla’s developers moved with remarkable speed to patch the bug, then made a second release of their software within a day to make the patch a standard feature. Meanwhile, the bug that instigated our call to ditch IE has been “patched,” but only partially. The real fix will come with XP SP2, which means if you want a more secure Internet Explorer, you’ll be upgrading.

Elsewhere in the News

» O.k. We’ve been on the WiMax hype train the same as anyone else lately. Maybe we should be relieved that someone’s found an analyst who’s called a stop to the hype and said it’ll be sometime in 2009 before we see significant penetration, which will probably not start in the U.S.

We’re inclined to believe that the utter lack of control business interests have been able to exert over WiFi/802.11 will provide a little nudge for faster adoption than that, since WiMax/802.16 provides a way to centralize the mobile broadband experience (or will, anyhow, once that part of the standard is final).

» The other side of the browser kerfluffle surfaced in an online chat conducted by Microsoft. We wish they’d addressed the security issue more, instead of sidestepping the matter of the severe liabilities ActiveX introduces by discussing its role in crash (as opposed to security) bugs.

» Another day, another Cisco acquisition. This time it’s Parc Technologies: “Initially, Parc’s technology will be used by Cisco in its Multiprotocol Label Switching management portfolio, made available as part of its IP Solution Center (ISC).”

» Axis of E-Mail? The US, UK, and Australia signed a memorandum of understanding to share information in the fight against spam:

“As part of this “ground-breaking” international deal, the U.K. Office of Fair Trading (OFT), the Australian Competition and Consumer Commission and the FTC will engage in evidence exchange, information sharing to detect and investigate international spam activities and enforcement coordination, according to U.K. ministry officials. The three agencies will review the agreement on an annual basis, with an eye toward expanding the scope of information- and investigation-sharing.”

» We know you love the IIS/Apache horse race: here are the latest numbers. (Pre click-through hint: For a horse race, these numbers never seem to change much.)

» “JUNOS router software, which helps direct network traffic using the next-generation IPv6 Internet standard, contains a flaw that can be exploited to cause a Denial of Service attack.”

“The vulnerability results from a memory leak within the IPv6 Packet Forwarding Engine (PFE) when processing certain IPv6 packets, according to the company, the United States Computer Emergency Readiness Team (US-CERT) and the security firm Secunia.”

The Week in CrossNodes

» In a DNS bind? Get Out with dnsmasq

If the intricacies of bind are too much to navigate and all you really need is lightweight DNS services for your LAN, dnsmasq might fit the bill: Configure it with /etc/hosts, use it for easy DHCP services, and put the kibosh on the likes of Sitefinder’s DNS-breaking marketing scheme.

» Scripting Clinic: Slice and Dice Text with Perl

Perl’s been called the ‘Swiss Army chainsaw’ of scripting languages, but in this installment of the Scripting Clinic you’ll learn how to use it like a scalpel for your most demanding (and disorganized) files.

Network News Break is
CrossNodes’ weekly summary of networking news and opinion, served up fresh.
Please send your comments and suggestions to the editor.

Latest Articles

Follow Us On Social Media

Explore More