RE: Into the Cloud (was RE: Missing Windows right-click key)

Subject: RE: Into the Cloud (was RE: Missing Windows right-click key)
From: "McLauchlan, Kevin" <Kevin -dot- McLauchlan -at- safenet-inc -dot- com>
To: Tony Chung <tonyc -at- tonychung -dot- ca>, TECHWR-L Writing <techwr-l -at- lists -dot- techwr-l -dot- com>
Date: Thu, 22 Jul 2010 12:18:51 -0400

Tony Chung replied:
[...]
> I hear what you're saying. Heck, I've said what you've said: "What
> about unscrupulous employees?" With the amount of data floating
> uncontrollably on teh Interwebs, I doubt that anyone could find the
> time to make sense of everything they find, let alone for corporate
> espionage. But I guess when you're dealing with lots of money....

Ask a cracker-hacker. Ask anybody who does war-driving for fun.
YOU (as a black-hat employee) don't attempt to sift through
billions of pages of data.
Rather, you (as a black-hat employee) run a little app that
does the searching for you, and dumps the results out somewhere
convenient. Maybe it pops up an innocuous notice on your work
screen, or sends you a tweet, when it finds something.
In a bigger-than-several-football-fields server
farm, you probably just arrange that whatever is caught in your
net just gets copied to some standby servers or even some
on-line servers that you have co-opted. Then the copied stuff can
be sifted and tickled by further refined tools, at your (or your
spymaster's) leisure.

Automation. That's what computers are for. You are right - nobody
sifts by hand, given the amount of labor involved. Everybody
automates.


> If it fits into a series of packets and transfers over a series of
> wires, vpn, encrypted or not, that data is out there in the open.

"Encrypted or not" is not a useful thing to say. As long as data
is strongly encrypted, it's quite safe. Granted a focused attack
by somebody with enormous resources could unravel your encrypted
documents, but if you use up-to-date encryption, your foe is going
to succeed only long after the business data or research data have
become stale. I care that today's biz plans, market evaluations,
research, engineering docs, etc. are safe today. If somebody with
big bucks and huge computer resources breaks today's crypto
after beating on it for a few years, it'll be way out of date.
Of course, the assumption is that I will have moved on to newer
and better crypto algorithms as they become available.

The problem is to ensure that your data are always encrypted in
storage, and in transit. They should be in-clear only on the
machine where you are working. At that point, it is your responsibility
whether you allow somebody to watch (or video) over your shoulder
while you work, or whether you allow somebody to install keystroke
loggers and other nasties on your local device.

Actually, the above paragraph doesn't highlight the key point,
which is "the machine where you are working". In the cloud
scheme, you are looking at a screen and performing some hand-waving
motions at a desk somewhere, but your work is taking place in
a virtual machine inside a server inside a rack inside a huge
building with thousands (tens of thousands? hundreds of thousands?)
of similar machines and racks, all doing the same for other
people.

Your data can be temporarily unpacked and decrypted into volatile
memory on an anonymous cloud server, and only (encrypted) _views_
of your material are shown to you, over an encrypted pathway. Your mouse
actions and keystrokes go back over a similarly encrypted pathway.

Your thin-client app does little more than decrypt pre-visual
data and show it onscreen, and encrypt your actions to send back
to the app server.

So again, the only time your stuff is visible in the world is
when it's on the screen in front of you - wherever you happen
to be. Back in the anonymous cloud server, as soon as you
perform a "close" action from your terminal (or the connection
is lost), the server encrypts and saves the most current state
and the unencrypted stuff vanishes from volatile memory.
Even the virtual machine is wiped and a new one created for
the next person to connect.

The trick is getting the equipment and software needed to do the
job into the entire circuit of you-and-the-cloud. No air-gaps.
On the server, the virtual machines must be kept absolutely
secure from one another - no overlap of memory spaces, secure
setup and takedown of I/O pathways, etc. The O/S and virtualizer
must ensure that there is no way for a client of one virtual
machine to jigger the system (malformed code, overflows, other
tactics) to allow a user to break out of his/her private "jail"
and interact with the underlying system or with other people's jails.

Oops! Is that a sea of slack faces and glazed-over eyes?
Sorry. This stuff is what I do all day. It's boring as hell
to real people. :-)

Sorta like politics and sausage-making. Nobody really wants
to know what happens behind the scenes.

- Kevin

<commence-bumpf> The information contained in this electronic mail transmission
may be privileged and confidential, and therefore, protected
from disclosure. If you have received this communication in
error, please notify us immediately by replying to this
message and deleting it from your computer without copying
or disclosing it.


^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Gain access to everything you need to create and publish information
through multiple channels. Your choice of authoring (and import)
formats with virtually any output. Try Doc-To-Help free for 30-days.
http://www.doctohelp.com/

LavaCon 2010 in San Diego Sept 29&#8211;Oct 2 is now open for registration.
Use referral code TECHWR-L for $50 off conference tuition!
See program at: http://lavacon.org/


---
You are currently subscribed to TECHWR-L as archive -at- web -dot- techwr-l -dot- com -dot-

To unsubscribe send a blank email to
techwr-l-unsubscribe -at- lists -dot- techwr-l -dot- com
or visit http://lists.techwr-l.com/mailman/options/techwr-l/archive%40web.techwr-l.com


To subscribe, send a blank email to techwr-l-join -at- lists -dot- techwr-l -dot- com

Send administrative questions to admin -at- techwr-l -dot- com -dot- Visit
http://www.techwr-l.com/ for more resources and info.

Please move off-topic discussions to the Chat list, at:
http://lists.techwr-l.com/mailman/listinfo/techwr-l-chat


References:
Missing Windows right-click key: From: Dan Goldstein
RE: Missing Windows right-click key: From: Combs, Richard
RE: Missing Windows right-click key: From: Dan Goldstein
Re: Missing Windows right-click key: From: Jimmy Breck-McKye
Re: Missing Windows right-click key: From: Bill Swallow
Into the Cloud (was RE: Missing Windows right-click key): From: McLauchlan, Kevin
Re: Into the Cloud (was RE: Missing Windows right-click key): From: Tony Chung

Previous by Author: Into the Cloud (was RE: Missing Windows right-click key)
Next by Author: Re: Google maps problem
Previous by Thread: Re: Into the Cloud (was RE: Missing Windows right-click key)
Next by Thread: RE: Missing Windows right-click key


What this post helpful? Share it with friends and colleagues:


Sponsored Ads