Rational Survivability

The uptake of computing
using the cloud,
would make the king of all marketeers
— Ron Popeil — proud

He's the guy who came out
with the canned spray on hair,
the oven you set and forget
without care

He had the bass fishing rod
you could fit in your pocket,
the Veg-O-Matic appliance
with which you could chop it

Mr. Microphone, it seems, 
was ahead of its time
Karaoke meets Facebook
Oh, how divine!

The smokeless ashtray,
the Cap Snaffler, drain buster
selling you all of the crap
Infomercials could muster

His inventions solved problems
some common, some new
If you ordered them quickly
he might send you two!

Back to the Cloud
and how it's related
to the many wonders
that Sir Ron has created

The cloud fulfills promises
that IT has made:
agility, better service
at a lower pay grade

You can scale up, scale down
pay for just what you use
Elastic infrastructure
what you get's what you choose

We've got public and private,

outside and in,

on-premise, off-premise

thick platforms or thin

The offerings are flooding
the wires en masse
Everything, it now seems,
is some sort of *aaS

You've got infrastructure,
platforms, software and storage.
Integration, SOA 
with full vendor whoreage

Some folks equate
virtualization with cloud
The platform providers
shout this vision out loud

'Course the OS contingent
has something to say
that cloud and virt
is part of their play

However you see it,
and whatever its form
the Cloud's getting bigger
it's starting to storm

Raining down on us all
is computational glory
but I wonder, dear friends,
'bout the end of this story

Will the Cloud truly bring value?
Solve problems that matter?
Or is it about 
vendors' wallets a-fatter?

*I* think the Cloud
has wonderful promise
If the low-hanging IT fruit
can be lifted 'way from us

The Cloud is a function
that's forging new thought
Pushing the boundaries
and theories we've bought

It's profoundly game changing

and as long as we focus

and don't buy into the 

hyped hocus pocus

So before we end up
with a Cloud that "slices and dices"
that never gets dull,
mashes, grates, grinds and rices

It's important to state

what problem we're solving

so the Cloud doesn't end up

with its value de-evolving

—-

BTW, if you want to see more of my Cloud and Security poems, just check here.

You want to know how I know that The Cloud is all hot air and will never catch on?

It is my pleasure to introduce the fruits of the labor of months minutes of diligent research and engineering prowess — my opus magnum — the next generation of Cloud Computing.  Pending standards-body approval shortly:

I'm looking for extensive peer review prior to standards body submission.  Open source also considered.  Please ensure you comment below in order to ensure transparency.  There are no ivory towers here, flame away (although you might want to open the window first.)

/Hoff

UPDATE: HA! So I was *so* close to the real thing!  Turns out that instead of 240 Nintendo DS Lites, they used 200 clustered  Sony PS III's! I actually guessed that in an email to Sotirov, too!  I can't believe you people doubted me!

I initially thought they used the go-kart crashes in Super Mario brothers to emulate MD5 "collisions."

Check out Ryan Naraine's write-up here.

—

So Alexander Sotirov and Jacob Applebaum are giving a presentation tomorrow at 25C3 titled "Making the Theoretical Possible."

There's a summary of their presentation abstract posted via the link above, but the juicy parts are redacted, hiding the true nature of the crippling effects of the 'sploit about to be released upon the world:

I have a Beowulf cluster of 240 Nintendo DS Lite's running in my basement and harnessing the capabilities thereof was able to apply my custom-written graphical binary isomorphic differ algorithm using neural networking based self-organizing maps and reverse steganography to deduce the obscured content.

I don't wish to be held liable for releasing the content of this prior to their presentation nor do I wish to be pursued for any fair use violations, so I'm hosting the results off shore.

Please click here for the non-redacted image hosted via a mirror site that reveals the content of the abstract.

/Hoff

Here's the premise that will change the face of network security, compliance, SIEM and IDP forever:

This started as a joke I made on Twitter a few weeks ago, but given the astounding popularity of Cloud-based zaniness currently, I'm going open source with my idea and monetize it in the form of a new startup called CloudCorrelator™.

Here's how it works:

1. You configure all your network devices and your management consoles (aggregated or not) to point to a virtual machine that you install somewhere in your infrastructure.  It's OVF compliant, so it will work with pretty much any platform.
2. This VM accepts Syslog, SNMP, raw log formats, and/or XML and will take your streamed message bus inputs, package them up, encrypt them into something we call the SlipStream™, and forward them off to…
3. …the fantastic cloud-based service called CloudCorrelator™ (running on the ever-popular AWS platform) which normalizes the alerts and correlates them as any SIEM platform does providing all the normal features you'd expect, but in the cloud where storage, availability, security and infinite expandability is guaranteed!  The CloudCorrelator™ is open source, of course.

   This is where it gets fun…

4. Based upon your policies the CloudCorrelator™ sanitizes your SlipStream™ feed and using the Twitter API will allow Twitter followers to cross-correlate seemingly random events globally, using actual human eyeballs to provide the heuristics and fuzzy logic analysis across domains.

Why bother sending your SlipStream™ to Twitter?  Well, firstly you can use existing search tools to determine if anyone else is seeing similar traffic patterns across diverse networks.  Take TwitterSearch for example.   Better yet, use the TweetStat Cloud to map relevant cross-pollination of events.

That zero day just became a non-event.

I am accepting VC, press and alpha customer inquries immediately.  The @VirtualSIEM Twitter feed should start showing SlipStream™ parses out of CloudCorrelator™ shortly.

/Hoff

Besides the sumo suit wrestling match I'm organizing between myself and Simon Crosby at this year's coming RSA 2009 show, I'm really excited to announce that there will be another exciting virtualization security (VirtSec) event happening at the show.

"In this verbal cage match session, two well known critics of virtualization security take on two virtualization company CTOs as they spar over how best to secure virtualization platforms: who should be responsible for securing it, and how that ultimately impacts customers and attackers.  We have Hoff and Skoudis versus Crosby and Herrod.  Refereeing will be respected analyst, Antonopoulos."

I haven't been whipped into this much of a frenzy since Hormel changed the labels on the SPAM cans in Hawaii.

PDP (of gnucitizen fame) masterfully stitched together a collection of mixed metaphors, generalizations, reductions to the ridiculous and pejoratives to produce his opus magnum on cloud computing (in)security titled "The Cloud Is Not That Insecure."

Oh.

Since I have spent the better part of my security career building large "cloud-like" services and the products that help, at a minimum, to secure them, I feel at least slightly qualified to dispute many of his points, the bulk of which are really focused on purely technology-driven mechanical analogies and platforms rather than items such as the operational, trust, political, jurisdictional, regulatory, organizational and economical issues that really go toward the "security" (or lack thereof) of "cloud-based" service.

Speaking of which, PDP's definition of the cloud is about as abstract as you can get:

Well, I'm glad we cleared that up.

At any rate, it's a seriously humorous read that would have me taking apart many of his contradictory assumptions and assertions were it not for the fact that I have actual work to do.  So, in the issue of time, I'll offer up his conclusion and you can go back and read the rest:

So, there you have it.  Those of you who "know what you are doing" are otay and thanks to security by obscurity due to a lack of trust, cloud computing is secure.  That's not confusing at all…

This probably won't end well, but…

Sigh.

/Hoff

…'cos there ain't no clouds in outer space…

The fine folks at NASA, with notable contributors such as the Internet's baby-daddy Vint Cerf, have been bit twiddling a new communications protocol this month that has been in the works since 1998.  The "launch" of Delay/Disruption Tolerant Networking protocol is currently being field tested on the comet-seeking EPOXI spacecraft.

While TCP/IP has generally worked well beyond its initial design requirements as the terrestrial Internet has scaled unimaginably, it doesn't work so well in interplanetary deep space.

From the fine folks at Ars Technica:

This month, NASA began testing a new protocol
for communications in outer space that could extend the reliability and
versatility of the Internet out of the Earth's atmosphere. The new
protocol, called Disruption-Tolerant Networking, or DTN, has been in
the works for ten years, passed a month of testing with a just-launched
spacecraft and nine ground stations, but is still scheduled to undergo
further tests.
…
Communicating in interplanetary space is hard. While even the most
remote regions of the earth can be reached by lightspeed communications
in a modest fraction of a second, and voice conversations from the
earth to the moon can be carried out with only a barely noticeable
delay, several light minutes separate planets even at their closest
approaches. Back-and-forth negotiation isn't feasible, and the cost of
starting processes from scratch are high. Furthermore, disruptions of
communication are numerous  and routine. Satellites and planetary
probes have much less power when they're out of the sun, line of sight
must be maintained, dishes properly aimed, etc. Solar flares and other
environmental factors can shut communications channels unexpectedly.

Under the new DTN protocol, nodes retain data in their own memory until
they receive confirmation the data has been received by a suitable
target node. This increases the likelihood that data will arrive at its
destination with a minimum of back-and-forth, communication even when
communication is intermittent or unreliable. 

I wonder if it's IPv6 compatible?  After we assign a DTN/IP-Address to Internet-enable each celestial body, we'll be out of addresses again!

BTW, I happen to have access to a DTN-enabled uplink which proxy relays my TCP/IP to DTN through the EPOXI spacecraft.  Check out the round-trip times on this badboy:

I am interested in understanding if there are any additional security
mechanisms built into DTN as it would be a shame if an advanced alien
race could perform an interplanetary MITM on our transmissions:
"…this is not the planet you are looking for…"

For the sake of humanity I hope so.  I'm going to go read the drafts.

Botnets?  Data leakage?  Clickjacking?  You think you've got problems,
just think of the firewalls needed to protect against solar flares ;)*

/Hoff

I was reading an article on SlashFood titled "Drinking Straw: Friend or Foe" and chuckled at the parallels to the reflexive hyping, purchase and (oft failed) use of "solutions" in the security space.  Sometimes I think we need a securitysnopes.com:

Brings new meaning to "security sucks."  What's your favorite "security straw" analogy?

/Hoff