Rational Survivability

Cloud: the other white meat…

To me, cloud is the “other white meat” to the Internet’s array of widely-available chicken parts.  Both are tasty and if I order parmigiana made with either, they may even look or taste the same.  If someone orders it in a restaurant, all they say they care about is how it tastes and how much they paid for it.  They simply trust that it’s prepared properly and hygienically.   The cook, on the other hand, cares about the ingredients that went into making it, its preparation and delivery.  Expectations are critical on both sides of the table.

It’s all a matter of perspective.

Over the last few days I have engaged in spirited debate regarding cloud computing with really smart people whose opinions I value but wholeheartedly disagree with.

The genesis of these debates stem from enduring yet another in what seems like a never-ending series of “XYZ Fails: End of Cloud Computing” stories, endlessly retweeted and regurgitated by the “press” and people who frankly wouldn’t know cloud from a hole in the (fire)wall.

When I (and others) have pointed out that a particular offering is not cloud-based for the purpose of dampening the madness and restoring calm, I have been surprised by people attempting to suggest that basically anything connected to the Internet that a “consumer” can outsource operations to is cloud computing.

In many cases, examples are raised in which set of offerings that were quite literally yesterday based upon traditional IT operations and architecture and aren’t changed at all are today magically “cloud” based.  God, I love marketing.

I’m not trying to be discordant, but there are services that are cloud-based and there are those that aren’t, there are even SaaS applications that are not cloud services because they lack certain essential characteristics that differentiate them as such.  It’s a battle of semantics — ones that to me are quite important.

Ultimately, issues with any highly-visible service cause us to take a closer look at issues like DR/BCP, privacy, resiliency, etc.  This is a good thing.  It only takes a left turn when non-cloud failure causality gets pinned on the donkey that is cloud.

The recent T-Mobile/Danger data loss incident is a classic example; it’s being touted over and over as a cloudtastrophe of epic proportions.  Hundreds of blog posts, tweets and mainstream press articles proclaiming the end of days. In light of service failures lately that truly are cloud issues, this is hysterical.  I’m simply out of breath in regards to debating this specific incident, so I won’t bother rehashing it here.

Besides, I would think that Miley Cyrus leaving Twitter is a far more profound cloudtastophe than this…

When I point out that T-Mobile/Danger isn’t a cloud service, I get pushback from folks that argue vehemently that it is.  When I ask these folks what the essential differentiating characteristics of this (or any) cloud service are from an architectural, technology and operations perspective, what I find is that the answers I get back are generally marketing ones, and these people are not in marketing.

It occurs to me that the explanation for this arises from two main perspectives that frame the way in which people discuss cloud computing:

1. The experiential consumer’s view where anything past or present connected via the Internet to someone/thing where data and services are provided and managed remotely on infrastructure by a third party is cloud, or
2. The operational provider’s view where the service architecture, infrastructure, automation and delivery models matter and fitting within a taxonomic box for the purpose of service description and delivery is important.

The consumer’s view is emotive and perceptive: “I just put my data in The Cloud” without regard to what powers it or how it’s operated.  This is a good thing. Consumers shouldn’t have to care *how* it’s operated. They should ultimately just know it works, as advertised, and that their content is well handled.  Fair enough.

The provider’s view, however, is much more technical, clinical, operationally-focused and defined by architecture and characteristics that consumers don’t care about: infrastructure, provisioning, automation, governance, orchestration, scale, programmatic models, etc…this is the stuff that makes the magical cloud tick but is ultimately abstracted from view.  Fair enough.

However, context switching between “marketing” and “architecture” is folly; it’s an invalid argument, as is speaking from the consumer’s perspective to represent that of a provider and vice-versa.

So when a service fails, those with a consumer’s perspective simply see something that no longer works as it used to.  They think of these — and just about anything else based on Internet connectivity — as cloud.  Thus, it becomes a cloud failure. Those with a provider’s view want to know which part of the machine failed and how to fix it, so understanding if this is truly a cloud problem matters.

If the consumer sees the service as cloud, the folks that I’m debating with claim then, that it is cloud, even if the provider does not.  This is the disconnect. That’s really what the folks I’m debating with want to tell me; don’t bang my head against the wall saying “this is cloud, that isn’t cloud” because the popular view (the consumer’s) will win and all I’m doing is making things more complex.

As I mentioned, I understand their point, I just disagree with it. I’m an architect/security wonk first and a consumer second. I’ll always be in conflict with myself, but I’m simply not willing to be cloudwashed into simply accepting that everything is cloud.  It’s not.

It’s all a matter of perspective.  Now, Miley, please come back to Twitter, the cloud’s just not the same without you… 😉

/Hoff

I’ve tripped over it a couple of times.

I’ve done things to it and with it that perhaps I shouldn’t have.

I’ve even rebooted it once or twice.

On Thursday, I tried — unsuccessfully — to once and for all take down the Internet.

It’s he’s just too damned resilient for his own good. 😉

One of my heroes…and an awesome person. Thank you, Vint.

You can read about the exploits of the Infrastructure 2.0 Working Group at SRI from Greg Ness’ blog here.

/Hoff

I am working on laying down the vocals over the music,

For the love of all that is audible, don’t say you weren’t warned…

The first couple of verses are recorded for your, um, pleasure here.

Here’s  an overview of Defcon sung to the tune of Nickleback’s “Rockstar:”

I’m through with standing in line

for talks I’ll never get in

Didn’t make the top 3 in CTF again

Seems Defcon hasn’t turned out

quite the way I want it to be

(tell me what you want)

I want a brand new netbook

that runs Ubuntu

a 3G channel no one can hack into

And a 4 socket server big enough

to crack passwords for me

(yeah, so what you need)

I’ll need a credit card with someone else’s limit

And a wallet from a fed with nice badge in it

Gonna join the wall of sheep club

everyone makes fun of me

(Been there done that)

I want a bootable CD full of old hack tools

and a way to bypass pesky firewall rules

Need to tunnel SSH…DNS and RPC

(So how you gonna do it?)

I’m gonna trade this life for fortune and fame

gonna grow long hair and use a hacker name

[CHORUS]

‘Cause we all just wanna be security rockstars

Hacking parking meters,

windows-powered smart cars

The girls ain’t easy but the caffeine’s cheap

We’ll all stay skinny, can’t afford to eat

And we’ll hang out in the coolest bars

moochin off those vendors

and their sales whores

Every good script kiddie

Gonna wind up there

No pretty people

but we just wont care

Hey hey I’ll be a security rockstar

Hey hey I’ll be a security rockstar

Wanna be…great like Mitnick

with no stay in the pen

Hire a PR firm to make me cool again

Sign-a couple autographs

buy my book ‘cos it’s not free

(I’ll have the quesadilla… ha ha)

Piss off Apple fanbois

cause quite a mess

pwn your precious iPhone

with an SMS

Escape from a VM

cos you’ve got crappy entropy

(So how you gonna do it?)

I’m gonna trade this life for fortune and fame

gonna grow long hair and use a hacker name

‘Cause we all just wanna be security rockstars

Hacking parking meters,

windows-powered smart cars

The girls ain’t easy but the caffeine’s cheap

We’ll all stay skinny, can’t afford to eat

And we’ll hang out in the coolest bars

moochin off those vendors

and their sales whores

Every good script kiddie

Gonna wind up there

No pretty people

but we just wont care

Hey hey I’ll be a security rockstar

Hey hey I’ll be a security rockstar

Have a big pool party

with killer bees

a bread makin’ panel

with robots that freeze

lock picking fu

and hacker jeopardy

I’m gonna write those sploits

that offend the censors

Gonna pop those boxes

like a Pez dispenser

Get washed-up hackers

rewriting my tools for free

I’m gonna dress my ass

in the black shirt fashion

Donate to the EFF

and promote stack smashin’

Gonna date a sysadmin

blow my money on a brand new Wii

(So how you gonna do it?)

I’m gonna trade this life for fortune and fame

gonna grow long hair and use a hacker name

‘Cause we all just wanna be security rockstars

Hacking parking meters,

windows-powered smart cars

The girls ain’t easy but the caffeine’s cheap

We’ll all stay skinny, can’t afford to eat

And we’ll hang out in the coolest bars

moochin off those vendors

and their sales whores

Every good script kiddie

Gonna wind up there

No pretty people

but we just wont care

Hey hey I’ll be a security rockstar

Hey hey I’ll be a security rockstar

I’m gonna give your mama

quite a fright

when I steal her account

on that Facebook site

If Satan’s on her friend’s list

Jesus really ought to be

You’ve got

“Clobber the Cloud”

Chicks pillow fighting

and even the odd

TV celebrity sighting

Korean spies in disguise

get your bail money for free

Fake ATM’s in the lobby

stealin’ your cash

suicidal cab drivers

who think it’s cool to crash

haxors getting pwned

posting your twitter feeds

I’m gonna trade this life for fortune and fame

gonna grow long hair and use a hacker name

‘Cause we all just wanna be security rockstars

Hacking parking meters,

windows-powered smart cars

The girls ain’t easy but the caffeine’s cheap

We’ll all stay skinny, can’t afford to eat

And we’ll hang out in the coolest bars

moochin off those vendors

and their sales whores

Every good script kiddie

Gonna wind up there

No pretty people

but we just wont care

Hey hey I’ll be a security rockstar

Hey hey I’ll be a security rockstar

My friend Dave Shackleford made one innocent little quip about social media experts on Twitter yesterday and in a fit of caffeine inspired (a)muse(ment) I went on a little rant.

Sung to the tune of Jeff Foxworthy’s “You might be a redneck…”:

1. “If you think twitter is a sexual position, you might be a social media expert”
2. “If the top three items in your browser history include the words “singles” “dating” or “matematch,” you might be a social media expert”
3. “If your idea of fast food is ordering your X-Large pizza online — for yourself only — you might be a social media expert”
4. “If you go to tweet-ups to pick up on women…you might be a social media expert”
5. “If you’ve ever asked someone to become a Facebook fan of YOU, you might be a social media expert”
6. “If you’ve ever broken up with someone over twitter & mistakenly @’d instead of DM’ing them, you might be a social media expert”
7. “If your mom has more Facebook friends and Twitter followers than you do — some of whom she’s met– you might be a social media expert”
8. “If you apply the David Koresh definition of ‘followers’ to Twitter, you might be a social media expert”
9. “If you’ve ever sent defensive DM’s to @beaker because you’re offended by his SocMed jokes, you’re def. a fscking Social Media expert
10. “If you had no idea ponies don’t really come in pink with bedazzled outfits, you might be a social media expert”
11. “If you’ve ever tweeted for help on how to operate a power tool in real-time, you might be a social media expert”
12. “If your idea of a hot date is the poetry aisle @ Barnes & Nobles on ‘Middle Eastern Comedy Reading Night’ you might be a SocMed Expert”
13. “If your idea of a pet is a LOLcat that uses kitty twitter, you might be a social media expert”
14. “If you went to Defcon and had a shirt made that said “I poked your mom on Facebook” to wear to the invite-only FB party that night, you…oh”
15. “If you have seen, let alone own, ‘Breakin’ 2: Electric Boogaloo,’ you might be a social media expert”
16. “If you’ve EVER said ‘Thunderbirds are go!’ at a party that involved alcohol and people over 23, you might be a social media expert”
17. “If your idea of a tough workout is 10 minutes on the Wii Fit, you might be a social media expert”

Here are some of the contributions that my like-minded and sheepish followers penned:

1. If you use your WiiFit to update your statistics on Facebook and MySpace, you might be a social media expert [@n0b0d4]
2. If you’ve ever suggested a IPS and SIEM based on Twitter, you might be a Social Media expert *looks at @Beaker* [@innismir]
3. If you named your twins Tweet and Retweet, you might be a social media expert [@n0b0d4]
4. If you refuse to talk to your parents because they aren’t on Facebook and Twitter, you might be a social media expert [@n0b0d4]
5. You know you’re a social media expert when…you can celebrities look at you followers and are jealous [@n0b0d4]
6. If people send help when you haven’t tweeted in 3 hours, you might be a social media expert? [@samj – in response to my CTO wondering why I was MIA from Twitter for 3 hrs ;)]
7. If you bought a book of funny quotes cause you thought it would make for interesting tweets, you might be a social media expert. [@pcalvin]
8. If you stopped posting for 1 day and people start asking if you’re ok, you might be a social media expert. [@lonervamp]
9. If you learned how to dance from Dance Dance Revolution, you might be a social media expert [@noora_freedman]
10. If followe[rs|es] exceeds your dunbar number by an order of magnitude you might be a social media expert <- works for monkeys too [@samj]
11. If you’ve ever cared whether or not someone follows you back you might be a social media expert. [@samj]
12. If you shake hands by making sure to follow everyone who follows you, you might be a social media expert [@jamesurquhart]
13. If the thousands of hours you spent playing Everquest are finally paying off, you might be a social media expert. [@jamesurquhart]
14. If you’ve ever left a meeting with your CIO to finish a tweet you might be a social media expert [@andywillingham]
15. If you’ve ever won a blogworld pass with a tweet, you might be a social media expert [@n0b0d4]
16. If you refer to Friendster as the historic way people used to communicate, you might be a social media expert [@munozrick]
17. If you follow 10,000 people but only 20 follow you back, you might be a social media expert” [@vmdoug]
18. If your idea of a great book title is “How to win followers and influence people”, you might be a social media expert. [@daveshackleford]
19. If you count the letters in every sentence as you write, you might be a social media expert” [@munozrick]
20. If you become anxious about the number of API calls left in your Twitter client, you might be a social media expert. [@daveshakleford]
21. If you’ve ever switched Twitter clients to avoid RT your own lame joke, you might be a social media expert [@n0b0d4]
22. If you can’t live without your Flip Video camera, you might be a social media expert. [@dirflash]
23. If you think hashtags should not be removed from mattresses, you might be a social media expert. [@lmclaughlin]
24. If you’ve ever though 140 characters is too much, you might be a social media expert [@n0b0d4]
25. If you have ever switched the keys on your keyboard around just to keep life interesting…you might be a social media expert [@cparadis_]

/Hoff

This might seem just a tad bizarre, but I could really use your help.

I Built this diagram about a year ago.  I *think* I remember what the hell it was I was trying to visualize, but for the life of me…I can’t recall.

Seems a little odd to be asking you lot, but you’re pretty darn good at interpreting my madness.  Care to give it a whirl?  Give me the best explanation for my diagram below and win $25.  I’m good for it.  Ask the people who have won my whacky challenges before…payable via PayPal.

Thanks.

/Hoff

Humble Pie

This is a particularly difficult blog to write.  As humble as I try to be, I think I might have believed my own marketing for a while there.  I feel badly.

Ever since I wrote this piece titled “Dear Mr. Schneier, If Cloud Is Nothing New, Why Are You Talking So Much About It?” I’ve been churning on it.  I couldn’t put my finger on why I felt, well, guilty.

So here’s the rub: I added some petty color in that post that was rude and disrespectful to Bruce. Nothing major, but unnecessary.  Time to own it.

When I wrote it at 1:30am out of frustration with Bruce’s comments it seemed funny at the time.

Then I re-read it the next morning and thought to myself, “that was a bit pointed for no particular reason.”

I let it slide because I don’t make a habit of editing posts once they’re up and normally, it’s just part of the shtick.  I also figured he’d never read it anyway.

Then Bruce emailed me, and what he said, despite my own rationalization, really kicked me in the butt for days:

I linked to it from my blog post.  I did so because it was interesting, but almost didn’t because it was rude.  Honestly, your points are good enough to stand on their own.

Bruce

Wow.

I apologized poorly in email and annotated the post to say I was a dick, but that’s not enough because if what Bruce said is true — that my points are good enough to stand on their own — then I owe him the respect of removing the things that don’t need to be there — and shouldn’t have been in the first place.

So I’m going to do that.

You might think I’m overreacting or you might disagree with my actions as a betrayal of my supposed personality.  Doesn’t matter.  I should do better.

Thanks for the humility reminder, Bruce.

I still don’t agree with you, but I respect your right to an opinion.  Sorry for the snark.

/Hoff

I saw a great post from Seth Godin wherein he highlighted  many interpretations of “open.” Here are some of them:

• open source : a program whose source code is made available for use or modification as users or other developers see fit. If a car goes open source, then you’re permitting others to copy your engine and body design, improve it, put their improvements back into the pool and share some more.
• open infrastructure: Amazon’s cloud is an example of this. You build the pipes and allow people to rent them to build their own systems on.
• open architecture: A system (hardware or software) where people can learn how it works and then build things to plug in to extend it. The IBM PC had an open architecture, which meant that people could build sound cards or other devices to plug in (without asking IBM’s permission).
• open standards: relying on rules that are widely used, consensus based, published and maintained by recognized industry standards organizations. It means that you’re not in charge, the standards guys are. Bluetooth is an example of attempting this, so is USB.
• open access: APIs that make it easy for people to get at the data on your platform (twitter is a great example, so is Google maps.)

These are just a few.

I hear this word a lot in our industry.  It’s one that people need to stop abusing or at least better clarifying in terms of context; much like “free” or “Cloud.”

As Seth asked “What kind of open are you looking for?”

/Hoff
*image from mag3737’s Flickr Photostream

You may have heard of it.

It’s quite possibly the fundamental underpinning of the entire security industry; a veritable life-source for over-worked security folk.  It’s apparently critical to the success of Cloud, as you can see from the picture to the right.

What is this mystical thing?  The Hoffacchino. Or, Hoffaccino, if you prefer.

You may hear it muttered and wonder “Just what the hell is a Hoffac[h]ino, anyway?”

Go to your local Starbucks and order the following:

The Hoffacc[h]ino

Venti Starbucks Doubleshot on ice. 6 shots, 3 Splenda (can sub sugar,) no classic (syrup,) breve (that’s 1/2 and 1/2 for those of you who don’t speak Strabucktalian.)

I cannot take responsibility for substitutions, because the recipe above took dozens of iterations to perfect for balance acidity, sweetness, caffeine, creaminess and mouth feel.

It’s like an americano over ice (without water to dilute) with splenda and 1/2 and 1/2, and it’s shaken which makes a big difference for some reason.

Now you know.

Everyone groans when they hear it.  Then they try it.  Then they’re hooked.

Sorry.

/Hoff

GigaOm’s Structure ’09 “Putting Cloud Computing to Work” conference sounded really good. I thought I’d submit a response to their CFP with a perspective on Cloud Security that I’m pretty sure would be unique.

I was excited when I saw a response from GigaOm’s Surj Patel titled: GigaOM’s Structure 09: Speaker Application Status

I was slightly less excited when I read the contents of the email which you can see by clicking on the image below to expand it:

I loved this.  “We ask you to consider engaging our audience not by speaking but via sponsorship.”

So while my talk doesn’t satisfy their requirements, cash does.  Yup, that’s adding value alright.  I don’t mind not meeting their speaking requirements, but slapping me in the face with this kiss-off is insulting.

Bite me.

/Hoff

It’s getting brutal out there, kids.

It all started innocently enough on Twitter when rockstar bughunter Alex Sotirov commanded:

Of course, I couldn’t help myself:

Pretty soon, my eeeevvvvviiillllll followers caused this:

HA!

Update:

w00t!