Dailydave mailing list archives
The magic in the cloud
From: Dave Aitel <dave () immunityinc com>
Date: Wed, 21 Jan 2009 23:06:40 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Lately, while I get up to speed on Django and whatever Zen it is that makes Twitter a huge hit and FriendFeed something you only visit once, I've been obsessing about a comment someone made to me at a party. They said "What we want is grid computing, like with our mainframes, but we want to outsource the whole cloud." Which is funny, because Terremark, another major Miami technology company, recently opened up its "outsource your cloud" service. Of course, lots of companies let you buy VPS's, but usually these are companies that are cannibalizing sales of shared hosting machines for PHP apps, not backend processing for real companies. But if you can outsource, say, your trading algorithms onto someone else's CPU, then why not just outsource all your sensitive data? Why not make this someone else's problem, assuming you can get a contract or insurance to cover you financially? By the time it all bursts like the real estate bubble, some other CTO will be left holding the smoke anyways. "Cloud computing" has a magic ring to it. It makes it someone else's problem, but somehow hides the security issues. No CTO in his right mind would ever consider shared hosting as protected by Unix Permissions. Even Solaris Containers and Zones and newfangled isolation hotness never seems to pass muster. If an attacker can buy space on the same kernel, it's not allowed. No amount of crypto magic, kerberos, key distribution, or PKI can bless it. So why on earth is it ok if the attacker can buy space on the same hypervisor? By what trick of psychology is that different? Speaking of different, I wanted to point out that Immunity has partnered up with CanSecWest and we're offering free admission to this year's 2009 conference in March. You're probably already going, but if you wanted to go for free, which I guarantee makes it easier to find budget for, you should email admin () immunityinc com and find out how. - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJd/DQtehAhL0gheoRAs40AJ4w4OVqvLDr/9BXL7SeXoobQa3BggCeL8aq iVDsyxyhA08hZNhVLWi2zQQ= =RvxL -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- The magic in the cloud Dave Aitel (Jan 21)
- Re: The magic in the cloud Rafal @ IsHackingYou.com (Jan 22)
- Re: The magic in the cloud Christien Rioux (Jan 22)
- Re: The magic in the cloud Rafal @ IsHackingYou.com (Jan 22)