Castle on a CloudPosted: October 1, 2011
I woke up singing this song to myself this morning. No idea why – I haven’t seen/listened to Les Miserables in a really long time – but along with a recent event it inspired this post.
A friend of mine recently left his job for an opportunity at another company. He had a handful of personal files on his computer at work that he didn’t want to lose, so on his second-to-last day he went about trying to put those files somewhere that he could get at them on his machine at home. So far this doesn’t sound all that unreasonable. …however, due to some fairly draconian security policies put in place by his employer he was blocked at every turn.
First thought: I’ll just zip up my files and transfer them to my phone. (This might not have actually been his first thought, per se, but it was one of the things he tried). No dice, I’m assuming because they disallow connecting USB devices to corporate workstations. Next up: email it to himself. This doesn’t work either, as outbound communications with attachments have some kind of encryption requirement and GMail is blocked. Oh, I know: Dropbox! Blocked. In fact, from this point forward consider every popular website that might be useful for this sort of thing to be blocked. So…what to do?
Well, that’s about the point that he sent me a panicked email: “Dude, brah, <my employer> put some blocks in their blocks so I could get blocked while I’m blocked. Help!”
…and this is the part where I get to say “To the Cloud!” heh
So what was my magic solution? Well, first I logged into Amazon EC2, on which I already have an account as I’m currently using it to host my personal web site, and I spun up a new Linux virtual machine instance. I spent 10-15 minutes wanking around getting a public/private keypair set up – largely because I didn’t have my private key at work and I’d forgotten how to set up a new one – and got logged into my new server. I installed Apache and PHP, and I Googled “PHP file uploader”. A few minutes and a little copy-and-paste work later and I had a workable (and, for the record, ridiculously insecure) file upload page. So I sent him the URL…and it failed miserably. A little more Googling to find the Secret Sauce for increasing PHP upload limits (if you’re curious, there are about 5 places where config changes have to take place to allow this) and voila! My buddy uploads his file, I pull it down off of the VM and email it to him.
So that’s the cloud. What about the “castle”? Well, I’m not feeling particularly clever this morning, so I’ll just give you the gist of the idea that’s been kicking around in my head. My buddy’s employer blocks all of the websites that they know about in order to improve “security”. Now, this is likely required for the auditors’ sake and that’s all well-and-good…but in what way is it really improving anything at all if someone with a free hour and a little know-how can circumvent it entirely for what are, I’d say, legitimate reasons? I think this sounds like a classic case of a pretty common practice that can be described with something like “Security through Inconvenience”; i.e., “If we make it harder to use then it will be secure because people will give up after 5 minutes of trying. We win!” Much like Security through Obscurity, it’s an illusion set up under false pretenses to give the appearance of being secure – a Castle on a Cloud.