Wednesday, December 03, 2008

Insecurities

Some fears are perfectly reasonable.
Yet I'm amazed at the amount of fear-related email I get every day.
About three days a week, I get an email from my manager.
This email is invariably a forward of a chain of emails back and forth between executives and upper management and their personal technology coordinators.
The forward itself is populated with a single word from my manager: "Thoughts?"
The email yesterday revolved around the use of AT&T cellular modems for traveling marketing people who would like to check their company email from their hotel rooms.
It must be noted that the cellular modems and associated data plans had made it through Purchasing and had already been delivered to the users for installation in their personal laptops.
Now, I've learned a few key things about that early morning question from my manager and the format in which it arrives.
First, replying to everyone with my "thoughts" is a bad idea since they generally ramble and often end up with a recommendation that the executives submit to "random" drug testing as a way to eliminate the root cause of 90% of these discussions.
Second, there are two ways to analyze most technical issues which arrive in most inboxes.
In this case, that specific issue being the question of security concerns associated with the use of cellular modems in conjunction with a secured internal computing environment.
You could check the protocol for encryption standards, analyze the technical documentation provided on the AT&T website (which would lead one to believe the technology has actually been replaced by magic), review the standard White Hat message boards for known exploits and then try to obtain data from within the connection from outside using a variety of techniques and hacks.
However, if you'd like to answer in a time frame which allows you to go to lunch, you should employ something I like to refer to as "LPPDF".
The Litigation Potential and Publicity Disaster Factor is a powerful time-saving tool which provides an accurate answer to security concerns with minimal effort.
Employing LPPDF is simple. In this case, I need only to ask myself who AT&T markets their cellular modem data service to. Given the placement of advertising in Business Week, Forbes and The Wall Street Journal, it is a safe bet that the service is marketed to businesses over individual users. Also, the fact that marketing guys knew about it in order to request it through Purchasing means they saw it somewhere marketing people see things indicates that they are the target user base. AT&T would prefer individuals purchase their DSL service.
The next question is "What would happen if some executive had something important stolen while using an AT&T data service?"
There would be a lawsuit. A loud and angry one.
Executives all over the country would panic like a herd of buffalo and begin hurling themselves off cliffs and out of any agreement which involves giving money to AT&T.
Therefore, the service can be assumed to be secure.
Also, LPPDF allows us to compare executives to herd animals, but that's just a bonus.
"Is this rollercoaster safe?"
"I know there isn't a warning sign, but is this pool too shallow for diving?"
"Could this chicken be undercooked?"
All of these questions can be answered without costly labwork or the scientific method if we simply apply LPPDF.
Disclosure:
While blazingly fast, LPPDF would have actually been slower than the response I supplied to this particular question.
In this case, I just said that since it was technically already possible to check corporate email over the internet through use of the web interface provided, the risk of any data loss has already been assumed by whatever group provides that service regardless of the method employed by the user to access the internet.
This response generated enough finger-pointing to allow me to slip away and get a cup of coffee and compose and publish this post.
Through the use of my AT&T cellular data card, no less.

No comments: