Live Mesh – initial thoughts

Experimenting with the tech preview of Live Mesh was a curious experience – my first reaction was a mixture of “that’s cool!” and “so what?” – the kind of private techie moment where you do something pointless but technically impressive. So I ended up remotely controlling the laptop on my right from the netbook on my left and filmed it and er… blogged it and er…. so what?

Well the “what” isn’t very developed yet, but the thing that really jumps out at you (and the reason I sound a bit, surprised, in the vid) is how easy it is – this is consumer grade technology. Give a 7 year old a Windows Live id and administrative permissions over their equipment and they’d have it meshed in about 10 minutes per device – *that* easy – you just keep clicking “ok” until it works.

So I’ve got my Mesh now – big deal. What can I do with it? Well, I can connect into my work PC from anywhere and sync any files that I have access to on my local desktop to anywhere. As an experiment I logged into my work machine via the Mesh, browsed to a network location that contains the most confidential files I have access to (network config stuff) and tried to sync it – no go: the server they’re hosted on isn’t part of my Mesh. So I copied the folder down to my desktop (Mesh has allowed me to log-on authenticated to the domain) – right clicked, and bingo.

Cool – I work remotely, I can never know when I might need this information so I’ll add it to my Mesh, problem solved! Except. I set up the EeePC that’s part of my Mesh in a rush. It’s like my personal machine isn’t it – not connected to the domain, so……. I didn’t set a password on it ;) Boot it up – hit return and you’re in (not now of course, but you get my drift).

In security terms I think of this as “leakage” – there’s no intention to distribute the information outside it’s proper audience, it just ends up in places where it’s no longer protected by the mechanisms that we put in place to keep it restricted – and once it’s “free” of those restrictions you’re just trusting in luck to keep it safe.

Of course this isn’t new – pod slurping – usb keys – staff taking home or printing out confidentially supplied information all produce the same potential for leakage, but it seems to me that Live Mesh raises the bar a bit and challenges what I’ve always thought of as a security principle, which is:

“if remote access becomes trivial, then local access controls become meaningless”

These are initial thoughts because I’m still trying to understand the pragmatic utility of Live Mesh in a Cloud based world. I can see that it’s Groove v2 – but I never “got” Groove. I can see that as a domestic technology it will make it easy for people with Windows Live ID’s to share files in “private” (but why wouldn’t you just put your pictures on flickr?) and I can see people having fun with remote access “just because they can” but apart from that?

Bottom line is that I think it’s toxic to Microsoft’s enterprise security model – if there is anything that is going to convince you that storing precious information in a stand alone file format that can be copied willy-nilly around the globe is a bad idea, it ought to be this. Put your *secrets* in a safe place – and that safe place is the Cloud, not the Mesh.