Linux and Security Blog
Thoughts from Time to Time on Linux and Security — 2012
I have written a number of courses for Learning Tree International, a training company, in the areas of Linux, networking, and cybersecurity. I have written a course on Linux servers which is still running. Other courses I have written for them have been retired, as they could no longer make enough sales. I suspect this is because those courses were too advanced for their primary market, U.S. government employees and contractors in the Washington, D.C. area. Those courses were in Linux network services, Linux/UNIX security, and Linux/UNIX troubleshooting and performance tuning.
They more recently asked me to develop a course on cloud security, and after I completed that, to write a weekly blog for them. In 2014, that started to shift to content about Linux and security in general. Here are links to the blog postings I have written. I have listed them here by month, with each month's essays in order (more or less, to keep some multi-part series together).
December 2012
Yes, Virginia, You Seem To Have A Problem
Amazon's US-East-1 region keeps having trouble. What's going on? There are ways to use AWS more safely, pay attention to Amazon's advice and take advantage of their geographic diversity.
Key Thieves Disturb the Peaceful Xen Garden
There has been a major advance in cross-VM attacks. Since virtualization is required for cloud computing, this means that you might be sharing hardware with someone trying to steal your keys.
Side-channel attacks can exploit timing variation, power supply fluctuations, and other subtle things your developers probably aren't aware of. But the attackers know and use these.
How Much of Cloud Security is New and Different?
Absolutely nothing at all, as far as the technology goes. The difference is in the visibility and control which you must surrender.
November 2012
How Can You Tell If Your Secrets Are Really Secret?
Wait and see if someone behaves in a way that indicates that they have read your secrets. That's about all that we really have.
When Will People Learn How To Safely Use Amazon Web Services?
Amazon tells us over and over how to design trustworthy systems on their distributed architecture. And people keep ignoring the advice, putting all their eggs into one magical basket, and finding that it isn't so magical after all.
Clouds of a Different Sort: Into the Teeth of the Storm
Why do we insist that cloud computing must be perfect? Non-cloud computing certainly isn't. Neither is the real world.
Amazon is the New Coal Tar, and I Mean That in a Good Way
AWS today is like coal tar in the late 1800s through the early 1900s — the raw material underlying many new products.
October 2012
The SAS 70 Emperor Has No Clothes
SAS 70 is nice if you're an accountant. For cybersecurity, it's not very useful.
What a week in cryptographic news — Keccak was selected as SHA-3, Adobe announced a breach that broke its digital signatures, and Windows imposed new limits on its use of weaker cryptographic algorithms.
The long and cautious process of designing and selecting a new Secure Hash Algorithm is finally finished. The task focused attention on the hash functions we already had, showing us what we need to do immediately. It isn't "move to SHA-3", it's cleaning up the mess we have made so far by relying on weak hash functions in so many places.
The Glacier Arrives, Slow and Quiet
Here's a great new cloud storage product with a fantastic price. Why do I not hear more about people using this?
September 2012
What Is "The Cloud" And How Can It Be Secure?
Unless you get someone to commit to a meaningful definition of "The Cloud", it makes no sense to try to discuss details. But a lot of what people are referring to is inherently insecureable.
Security needs truly random data, and that is much harder to obtain than you might expect. Here is a new source.
We're All Guinea Pigs in the Cloud Computing Experiment
No one has ever built a system like those used by the major cloud providers. They're figuring it out as they go, and we're along for the sometimes overly exciting ride.
Insurance companies say "Act of God" for things they don't even want to consider. Here's a big example of one.
August 2012
Cyber Attacks Have Been Monetized
The availability of reasonably priced GPU based cluster computing in the cloud means that you can easily calculate the budget for a cryptographic attack. Guess what — attacks that were nothing more than theoretically possible are now practical and not very expensive.
Voltage Fluctuations, Heat, and Other Side-Channel Attacks
Did you realize that power supply voltage fluctuations and excessive semiconductor heat can cause some leakage of extremely sensitive information? Good cloud providers have the infrastructural advantage of good power conditioning and environmental control. Turns out they're more important that I would have assumed.
Cryptography is a difficult area of mathematics. We shouldn't expect things to work as we would assume. Here's a startling example of that!
Certification and Compliance Don't Make You Secure
You have a bunch of certifications? I suppose that's nice. But it doesn't mean you know how to use a computer. Here are some horror stories about the certified and allegedly compliant.
July 2012
The Undetectable Threat of Cloud Sprawl
Over half of executives are worried about their data migrating to the cloud out of their control, and without even knowing about it. But maybe a quarter of executives are the ones doing this!
The Scariest Thing About Cloud Computing...
It's cheap, it's easy, and it's so tempting for your insiders to store your sensitive data there without your knowledge. And there's no way you can find out that it's happening.
The U.S. Government can access your cloud data, and the cloud providers aren't even allowed to tell you if this happens. Do your own encryption!
Flame Authorship is Acknowledged... Now What?
Yes, the Flame malware was a joint US-Israeli operation. But what happens now?
June 2012
Can You Get Cyber Insurance for Cloud Computing?
Probably not. Technical people can't agree on what "The Cloud" means, so why should we expect insurance underwriters to have any clue?
Will My Cloud Provider Read My Data?
Could they, in theory? I suppose. But will they? If it's hard enough that FBI forensics analysts don't even try, I'm not losing any sleep.
Who Can Read My Data in the Cloud?
What happens when you release cloud storage? Is it zeroized before reuse by another customer?
Is your kernel patched to enforce adequate access
control on /proc/PID/mem?
Your cloud provider's should be.
May 2012
Move to The Cloud and Forget Your Passwords!
That isn't like moving to Minnesota and then losing your mittens. Instead, move to Miami and never need mittens!
Migrating to the Cloud: Do You Need Assistance?
You may need the all-powerful Jeeves if you're going to build a 30,472-core high-performance computing cluster in the cloud. Fortunately, cloud butlers exist.
Why Must We Still Fear the BEAST, and What Can We Do?
We've known that SSL and TLS v1.0 were broken since 2002, and had a replacement TLS v1.1 since 2006. But they still aren't being used! Why?
Nothing New Under the Sun (or in the Cloud)
Here's a thesis from 1986 on trusted cloud computing!