SpamapS.org – Full Frontal Nerdity

Clint Byrum's Personal Stuff

Cloud Computing Security

Cloud Computing Security.

The linked presentation above came up in a discussion the other day on IRC about what to do with certificates and SSH host keys.

I hadn’t really thought about this. Sometimes it feels like once you put on your “somebody else is thinking about security” blinders, the world just starts moving faster and the ideas get more interesting. Unfortunately, at this high speed, I have to wonder if the impact may not be fatal for some heavy cloud (ab)users.

To “see what I’m on about”,  skip ahead to slide #66 to see the bits about random numbers.

I keep thinking back to the days where I would open up “pSSH” on my Palm Treo 650 and it would warn me “This device has no real random number capabilities, so the crypto is probably pretty sketchy, be careful.” Unfortunately, our ssh clients on cloud instances aren’t telling us that. Somebody needs to put “fix random seeding in the cloud” on their todo list. Oh wait, I just did.


July 7, 2010 at 3:52 pm Comments (0)

Personal schedule for Clint Byrum: Velocity 2010, Web Performance & Operations Conference – O’Reilly Conferences, June 22 – 24, 2010, Santa Clara, CA

Attention Stalkers: You’ll need to forge a badge to follow me around in these sessions, as I believe the conference is sold out. That is, unless you already registered.

Personal schedule for Clint Byrum: Velocity 2010, Web Performance & Operations Conference – O’Reilly Conferences, June 22 – 24, 2010, Santa Clara, CA.

ooops.. fixed the link to actually work if you’re not logged in to oreilly.com as ME


June 17, 2010 at 5:29 am Comments (0)

“Protecting “Cloud” Secrets with Grendel”

May 28, 2010 at 8:03 am Comments (0)

Why hasn’t OpenID, or something else, taken over yet?

I just happened upon a site that mentioned bubbl.us as a way to brainstorm. Cool tool. I played with it and decided I wanted to keep the data I had put in it to play with later, but was annoyed that I had to create yet another user id+email+password combination on yet another site that I probably won’t visit again for a long while. Plus, say I want to add it onto my facebook wall. Facebook might be able to extract the images, but they might now. How lame is that?

My current solution for the login problem is less than ideal. I use the java program Password Safe to save my accounts+passwords, which it generates randomly. The pass phrase for my password safe is pretty complex, and I change it on about an annual basis. The program re-locks the safe after 5 minutes of inactivity, so this is reasonably safe against casual compromise. Of course, keyboard shoulder surfing and a subsequent theft of my machine (or temporary control) could render it useless, but I’m willing to accept those risks and do what I can to maintain control of the laptop. If somebody steals my laptop, unless they can crack the encryption quickly, I feel pretty good that I’ll have enough time to restore from backup, change all the passwords, and set a new combination.

However, this is basically as good as our current “status quo” of online fractured identity can get. And I still don’t have anything to bring all of my online presence together.

I recall with fond memories watching Dick Hardt’s amazing Identity 2.0 presentation from the audience at OSCON 2005. I came away thinking to myself “oh good, somebody is on it.” I put it out of my mind as a systems administrator with a lot of things to think about on the backend, and no real concern for the frontend.

Fast forward 5 years, and I see that we’re not much better off now. Dick Hardt’s company Sxip produced Sxipper, which is pretty cool, but still puts it on the users to safeguard and manage their data. Oh and really, I never heard about it until I went looking for Sxip again, and I don’t know anybody using it, I think its just a cool curiosity, not a solution.

This really is an issue that affects people, but they may not know it. Look at the trouble this guy went through to make google accounts useful for people with multiple email addresses. As we start sharing and sending and moving data, our identities clearly can’t be defined as email addresses anymore. I have 3 that I use a lot, and a couple of others that just refuse to die for whatever reason. Changing them means trying to find every site on which I’ve used them. UGH.

OpenID was, and still is, a promising direction. There are some definite security pitfalls in the way its been done in the past, but I think they’ve solved most of them. It doesn’t really satisfy Dick’s Photo ID requirement where the issuer doesn’t get to know what you’re using it for. Still I love when I sign up for a site and I can use my OpenID login. I use my launchpad.net account for this, mostly because it was the first site that had a very clear “this is your open ID url” link.

FOAF-SSL or “WebID” also seems interesting as a way to promote social credibility and utilize existing technologies rather than try to invent the whole thing. Even twitter seems to have rudimentary support. But its still a long way off from being in control of our identity. Given the meager number of relying parties, I’d say it may not ever get there, which is too bad.

So now I’m just confused. How and when are we going to get this done? When can I say “this is me, here’s some proof that this is me, now lets get something done.”?

Social networks sort of try to do this with the social proof of many friends. But at issue there is how closed off those social relationships are. Facebook wants me *on Facebook*. They don’t want to enable me to also use myspace or my Ning community seamlessly.

Until we as users know why we’d want that, and somebody is able to provide it, I guess I’m just stuck with my password safe.


April 22, 2010 at 9:54 pm Comments (0)

SSH brute force protection – Its almost always already written

Every time I get my logwatch report and see the 20 – 40 daily brute force attempts on it, I cringe. I’ve locked it down to a point, but ultimately I prefer convenience on some level. Limiting any one IP to 2 ssh connections every 5 minutes has annoyed me as many times as it has probably saved me. Preventing root from logging in is nice too.

Ultimately though, I wanted a way to fight back against the brute forcers.. to get a step ahead of them. From seeing the success of projects like SpamHAUS and Project HoneyPot, I know that massive group collaboration works. Of course I started thinking how I’d write it in my head. Every time… for months.

Well, once I let go of my egotistical desire to write it, I found this great project, DenyHosts, which does the same thing for the brute force scanners. I just installed it, and already it has added a few IPs to hosts.deny. Go download it, run it, and stop the annoying scanners!


August 23, 2009 at 4:49 pm Comments (0)