Cloud Computing Security.

The linked presentation above came up in a discussion the other day on IRC about what to do with certificates and SSH host keys.

I hadn’t really thought about this. Sometimes it feels like once you put on your “somebody else is thinking about security” blinders, the world just starts moving faster and the ideas get more interesting. Unfortunately, at this high speed, I have to wonder if the impact may not be fatal for some heavy cloud (ab)users.

To “see what I’m on about”,  skip ahead to slide #66 to see the bits about random numbers.

I keep thinking back to the days where I would open up “pSSH” on my Palm Treo 650 and it would warn me “This device has no real random number capabilities, so the crypto is probably pretty sketchy, be careful.” Unfortunately, our ssh clients on cloud instances aren’t telling us that. Somebody needs to put “fix random seeding in the cloud” on their todo list. Oh wait, I just did.

Attention Stalkers: You’ll need to forge a badge to follow me around in these sessions, as I believe the conference is sold out. That is, unless you already registered.

Personal schedule for Clint Byrum: Velocity 2010, Web Performance & Operations Conference – O’Reilly Conferences, June 22 – 24, 2010, Santa Clara, CA.

ooops.. fixed the link to actually work if you’re not logged in to oreilly.com as ME

“because we believe that all web applications should take security seriously. Today we’re open sourcing a piece of software, Grendel, that we think can help many sites (not just financial applications) protect users’ data from a RockYou-style mass disclosure in a simple way.”

Pretty interesting stuff.. and makes perfect sense for those websites out there playing russian roulette with their users’ data…