posted Mar 20, 2001

.Net demystified: What you must know Privacy from Companies3/20/2001; 8:52:06 AM 'Suppose, for a moment, that everything could talk to everything else. Your calendar could get information from and supply data to your documents, or your cell phone, or someone else's calendar and cell phone. Your computer's desktop could tell you that your dry cleaning is ready or your bank account is overdrawn....''To do this, Microsoft wants to know everything: the information in your user profile, address, and application settings; what devices you use; what's in all your documents; your favorite Web sites; where you are at any given moment; your credit card numbers and payment information; the contents of your personal calendar, contact list, and e-mail inbox; and probably a few things I've left out.'The article discusses the possibility that somebody will hack this datastore because it's a tempting target. Do the basic analysis: "How hard is it to get into?" and "How tempting is the target?" Remember, security is never perfect, so this analysis is based on the idea that you need enough to make what's being protected not worth breaking the protection.The answers aren't encouraging. "How hard is it to get into?" Not to bash Microsoft, but security has never been on their priority list. Granted, there are exploits for every system, but at least the BSDs care about security, and the Linux people do on some level as well. Microsoft does not really have a track record for caring. I'd guess security will be relatively easy to crack, at least at first. (Actually, this would be sort of fun. Maybe I should learn more and do some white-hat work for .Net. Then again, my plate's full as it is.) How good they can make it will be an interesting to watch. Also note that it's not just Microsoft's security that can be breached. Depending on the software being run against Microsoft's services, you might be able to crack that somehow. If enough people are using some third party solution, that third party solution could open holes, even if Microsoft does their job perfectly. It's an awfully large system, with an awful lot of ways into the primary datastore... surely one of those ways will end up being insecure."How tempting is the target?" Let me ask it another way. "Can you imagine a more tempting target?" I can... Microsoft's servers probably don't have your social security number... but that's about it! Credit cards, buying history (if you're going to commit credit card fraud, buying histories are a great help; you can try to fit into the pattern of spending on the card so nobody notices anything amiss), e-mail (which isn't always just saying hi to friends; think industrial spying), what more could you ask? With a target this tempting, .Net will be the target of every cracker worthy of the title. What are the odds Microsoft will stop every last one of them?With a target this tempting, rock-solid security will be necessary, security to challenge the likes of the NSA and CIA. I for one definately won't trust anything important to Microsoft.I must admit I'm surprised at this centralization business. When you can buy a 40 GB hard drive for 100$ and have it on site, with the extremely high bandwidth and great low latency that only a hard drive stuck in your actual computer can provide, why move so the data off the desktop machine? It's great that you can, there's power and flexibility in this architecture, but there's nothing in the architecture that necessarily implies that the data has to be housed by a central repository. You should be able to set up a net-connected desktop as your data-store, and tell any .Net component to use it. Maybe you can and I just haven't heard about it. I sure hope so.


Site Links


All Posts