Our cloudy future

So I just dealt with a hack on the @sijoe twitter account. And I went through a process of re-locking everything down.

What occurs to me, is that this is our cloudy future. Where resources could be effectively stolen from us, say CPU cycles and storage, not merely hacking useless social media sites, by fairly determined hacking groups.

Think about this for a moment. You have a large allocation on EC2 for some reason, and your account gets hacked. The hackers light up several large clusters and have them cracking keys, or computing rainbow tables, or other such nonsense. After they are done, they close down, and you get the bill.

This isn’t denial of service, this is denial of capital, or effectively involuntary wealth transfer. Stealing in a simpler language.

Its probably way past time to throw out passwords as a central barrier to entry. A silly approach to password generation requires many additional symbols, characters, punctuation, etc. There’s an XKCD for that. But a password, a single factor of identification, is insufficient to prove whom you are. We really need to be looking at multifactor: something you know, something you have. And higher levels than this. And we need to start factoring in duress (are you being forced to give up information, and if so, how could you signal this, without overtly signalling this, and what should the cascade look like after such a signal), and other such things.

When the resources are no longer in your physical possession, you no longer have the ability to put a hard firewall in place between these resources and the bad guys. Which means you may not be able to assert absolute control over “your” resources.

In our cloudy future, many may indicate this is a good thing. I dunno. Without that absolute, power button level of control, and I mean exclusive control, how could you be sure that your resources weren’t being stolen without forensic examination of a bill?

I had thought in the past that this could be a problem. I am absolutely convinced that, like other things claiming to be “settled”, this is anything but, and worse, it (massively) increases your attack surface, without minimizing the capability of successful attack.

Maybe its time for certificate fobs on USBs, and Cell phones.

Viewed 83341 times by 5408 viewers

2 thoughts on “Our cloudy future

  1. I’ve said this many times … security is a process and not a product. Clouds, and services, whether public or private all have security concerns and implications.

    Given the direction of business at the day job, and our rapidly growing cloud elements, this has been very much on my mind for a while. It was this hack that really crystallized the issues for me. Reduced this to a simple issue I could think about. So now we are going to think through some concepts on this. See if we can protect some hard coded password-only type sites in a meaningful manner.

Comments are closed.