A “backdoor” is a mechanism that allows a service provider or government to access the contents of a system without knowing users’ passwords and without their knowledge. It is essentially a universal key that opens everything.

We hear government officials crying out that this is the only way they can protect the nation against attack. In other words, the government wants to have universal access to every electronic communication, or we will all die in flaming terrorist attacks.

So just why is this the stupidest idea in the world?Well it’s so incredibly stupid because it is impossible to guarantee that a “universal key” that decrypts everything can be kept secret. The government’s argument make it sounds like there’s a little physical key (like a little golden metallic key, let’s say) that could be kept safe in a place like Fort Knox and only brought out when needed. And yes, would be separate keys or processes for each provider or company (one for Apple, one for Dell, one for AT&T, one for Facebook) But encryption does NOT rely upon physical keys—that’s a dangerous argument.

There would be additional processes and safeguards on these keys, but essentially once a key is figure out, an entire company, entire industry, entire set of encryption processes, could be compromised.

With encryption, the  key is a sequence of numbers. You don’t have to break into a vault and “steal” the key to have universal access — you just have to figure out what the key is, even independent of the guys who created it in the first place, and once you figure it out, you’re in and you have access to everything—past, present, future.

Here are some common-sense reasons why this just can’t possibly work:

1. If someone were to find a way to independently generate or figure out the key(s), they’d be able to read every encrypted message ever created. (It’s a bit more complex than this, but it’s close.)
2. The key(s) would immediately become the target of every foreign government’s security services. If one of them discovered the key (stole it, recreated it, hacked an easier way of duplicating it), you’d probably not know. Just suddenly everything would become transparent to them.
3. Crooks will immediately attempt to discover the secret key(s). Don’t underestimate these guys. They are superb hackers and they have many millions of dollars to spend working on this. They might succeed.
4. It’s even easier, however. The key(s) would be stored somewhere on computers. If crooks could hack into that computer, they could probably extract the key.
5. A disgruntled government employee might release the key(s). Think about Edward Snowden if you want to argue that any government anywhere is really capable of keeping everything secret all the time, and forever.
6. Once the key is “out” it’s out forever. There’s no calling it back. (There could be mitigating circumstances on this one, but it would still be a terrible meltdown.)
7. The key(s) doesn’t affect just crooks and terrorists. It would also affect commercial transactions, banking, credit cards, stock markets … in short everything that depends upon encryption could be compromised if the key(s) were hacked.
8. Oh, and public key encryption has existed for years. If the government were to require that in the future there be backdoors for universal decryption, any of the existing encryption systems (which would not have backdoors) could continue to be used. (As far we we know there is no universal key for today’s systems.)
9. You know the phrase “If guns are outlawed only outlaws will have guns.” Well if commercial operators are required to provide the government with backdoors into their systems, you can be sure that outlaws will not, and from then on, only the outlaws will have secure communications.

Convinced yet?

Is that enough? Do you trust any government to do this, let alone to understand the magnitude of this Pandora’s Box?

[1] Interesting Infoworld article about this.

[2] Problems with backdoors Infoworld article

The post Backdoors – How Absolutely Stupid! appeared first on Sky's Blog.

User-agent: *
Disallow: /

Instead, I discovered that the googlebot may still spot the site and then put up a message saying that the site exists but is not indexed. i.e. the Googlebot still publicizes the existence of the site. It makes Google look like the good guys and us look like the bad guys for putting up a robots.txt. Yay for Google liberating all online information! Boo for us trying to keep our site un-indexed until we’re ready to make it public.I suppose if the site is public, they reason it’s OK to mention its existence. However, most of us did not intend for any results whatsoever to show up in Google, so having it say “the site exists but I can’t index it” is a big of a revelation! Beware of this if you are creating a pre-production test site — your site may still show up in Google searches. Instead, turn on some other protection — like the “Maintenance mode” plug-in for WordPress, so that not only sites but humans can’t use the site. Here’s kind what the Google result looks like:

Mork-A-Bork » Uncategorized
mork-a-bork.info/

A description for this result is not available because of this site’s robots.txt — learn more

The post Even Robots.txt won’t keep the googlebot away appeared first on Sky's Blog.

MY TOP APP PICKS FOR SYSTEM ADMINISTRATION ON iPAD

• iSSH— gives you secure shell (SSH) access to your servers using name+password or digital certs. If you use a command-line editor on your server (I use vi), be aware that up-down-right-left arrows won’t really function if you use the onscreen keyboard, but from a bluetooth keyboard they do work! Recently I’ve also had trouble with ESC, and I’ve had to tap its onscreen “button” instead on the physical key. You can also configure iSSH to emit true function keys (which are needed for some configuration work—in htop, for instance).
• 1Password— what a great way to keep all those passwords in one place! And encrypted too. 1Password for iPad syncs with 1Password on my Mac through Dropbox. When I make a new password, or change one, it is always available on the iPad as soon as I need it. This way I can use those 20-character random passwords that I’d never remember if I had to commit them to memory.
• Dropbox— Well of course you already know I use Dropbox for sync’ing 1Password across devices. And you can do without it if you sync the two devices “locally” on wi-fi, but I would never remember to do it—Dropbox lets it happen more in real-time and effortlessly.
• DropDAV— (Not an iPad app, but essential nevertheless) I need DropDAV because I have a buddy who watches my back and serves as sysadmin when I’m on those long air flights or otherwise indisposed, and he and I need to share documents, which we do through DropBox. DropDAV isn’t an app, it’s a service. Sign up and it makes your DropBox documents available to Pages and Keynote through WebDAV services on DropDAV.
• WordPress app— HTML textboxes don’t scroll properly on Safari on the iPad. This is a really big problem if you’re trying to admin a WordPress blog in Safari. So the WordPress iPad app is a necessity, though you don’t really have access to all of the WP admin features (it’s designed for bloggers, not admins), which means I’m constantly back and forth between this app and Safari even when I’m working on a single blog. This needs improvement, but I can make it work well enough for now.

PROBLEMS WITH THE iPAD

• No Flash. This means I can’t fully utilize a lot of tools, like Cloudkick, when on the road because they use Flash extensively. (However, I can log in at CloudKick even with my Yubikey one-time-password USB device, as long as I have the iPad USB camera adapter with me. That’s a trick to be explained elsewhere.)
• There’s no PGP mail encryption/decryption for the iPad mail app. Although I have other ways of dealing with encrypted mail when I’m on the road, this is still a big problem. If you rely on encrypted mail, be sure you have an alternative available when you’re traveling with your pad.

The post Top sysadmin tools for iPad appeared first on Sky's Blog.

Here are five reasons why you have to build your own cyber-protection capabilities rather than relying on governments to solve any of your security (and cyber-attack) problems for you. And you have to be vigilant and aware of what’s going on that might put governments even more in control of your online communications, reducing the options you have available to communicate privately with others as well as to defend yourself.

1. Government behavior recently shows that ultimately they (all?) want online communications to be available for them to read, even if they’re encrypted. The excuse is that terrorists and traitors use encrypted channels and therefore all communications must be readable by the authorities. Thus countries are fighting to secure warrantless wiretapping[1. Here’s what the EFF says on warrantless wiretapping – this is a great jumping off point for info], and to get hold of encryption keys (RIM/Blackberry[2. This has been going on for a couple of years with RIM/Blackberry, here Bruce Schneier tells us what the issue was as early as 2008.], Google[3. Read article about Google’s response in Economic Times (India) 16 December, 2010], etc.) so they can read Internet traffic.
2. Some governments (certainly the US that we know of) are already copying your communications into their data storage for later correlation and reference [4. Download the EFF release on AT&T diverting fiberoptic traffic in San Francisco to the NSA.]. ISPs and telcos have gigabit taps in place at interconnect facilities that give government agencies unfettered access to the entire information flow. I know from secondhand reports that this happens in other countries—you can google-around for more leads on that.
3. Governments are now saying (the UN particularly is floating this idea) they want to create international agreements so governments can work together to help make the Internet a safer place. This is a bad, bad, bad idea[5. Here’s what Vint Cerf and others said, according to the Huffington Post.] because repressive governments would rather you not have the ability to blog freely, and if this turns into an international agreement, everyone will be reduced to the lowest-common denominator.
4. They’re talking about kill switches[6. See my article In case of emergency, shut eyes and stagger in the dark.]  that would shut down critical portions of net communications in the event of a government-declared emergency. And many governments already selectively kill some types of communication, walling off YouTube, or Google search, online news like the New York Times, or other services  when they cover something the nation’s governors do not like.
5. If they don’t like something you say, then governments, or patriotic individuals, or attackers-for-hire will shut you down with denial of service attacks. So really you have to have your own plan in place and be ready to execute it. Your plan might just be to shut down, but at least you should be thinking about it in advance. And I’m telling you that governments are not going to be able to step in and protect you from that—it requires action at the level of your hosting facility.

My bottom line is that you yourself have to take care of your security to the degree you can.

First, (#1 above) you need to encrypt your communications with your business partners and friends. There are lots of ways you can do this and all of them require some amount of work, and that small amount of work has always been a barrier. You gotta get over that barrier and do it!

Second (#2) if your communications are encrypted and are copied for later analysis, someone who wants to snoop on you probably won’t like it, but you still are safer because it may take a considerable time to break that encryption. And although 99.9% of what you say won’t be of interest anyway, unless you’re plotting some evil deed, it’s possible for people to misinterpret what you’re saying and go after you. And on top of that, some of your personal conversations might just be embarrassing.

On #3, it’s just a really bad idea for governments to make policy about what can be carried on the Internet because the repressive governments will speak loudest, and any uniform international rules that would be formed would aim to protect the interests of the most repressive governments, not the rights of individuals. They’ll make it illegal to “advocate overthrow of the government” or “to offend national social norms” and since these differ so radically from one place to another, we will all be bound by rules that severely restrict our ability to speak openly about practically anything.

On #4, cutting access to the Internet in the event of a government-declared emergency immediately impedes the ability of civil society and NGOs to work across borders to stop any hostilities that might arise. It would plunge the net into darkness, where none of us could function. We see evidence of this in the ways China’s Golden Shield (the Chinese firewall) is used to suppress any mention of topics the government does not wish to see discussed. There is no broad freedom of speech in countries that do this kind of filtering and blocking, and if this were institutionalized worldwide so that we could not offend the Chinese government (they say offend the Chinese people, but we know it’s the government objecting, not the people—Chinese citizens are certainly as able as humans anywhere to accept diversity of opinions). Forming regulations that would apply worldwide would severely restrict freedom of speech in the most “free” countries in order to reduce it to the level acceptable to all repressive states.

And finally, #5 denial-of-service attacks are becoming the norm when someone doesn’t like what you’re saying. These are the “private” equivalent of setting up a firewall to stop your opinion from entering a country (like China) by shutting down your “printing press” as it were.

Why the parrot photo? Well, I’ve long had a policy of “if you can’t say something new and unique, don’t say anything at all” so I have not, so far,   parroted any comments on Wikileaks or Julian Assange, though there are many hints about the future of free speech, journalism, and government involvement in all of this, in what you can read almost anywhere online!

The post Don’t rely on governments to solve your security problems appeared first on Sky's Blog.

The Washington Post reported last week that the Obama administration is seeking to modify the 1993 Electronic Communications Privacy Act so that Internet service providers must turn over transaction records on email communications and possibly web browsing records, upon receipt of a “national security letter” from the FBI. This particular legal process doesn’t require review by a judge—unlike search warrants.^[1]

The law does not allow access to the contents of those emails without judicial oversight…only the more externally-visible addressing information, and that does tend to be what email systems log and archive. On the other hand, the term “electronic communication transactional records” which is what the government could require ISPs to divulge, is not defined in federal statutes, according to the Washington Post.^[2] And so it could conceivably be extended to include other person-to-person communications, such as social media contacts

This is the same process the Bush administration used, in the early 2000s, to ask libraries to turn over the records of books checked out by patrons, which was strongly resisted by librarians at that time.

Phone companies keep records of all of the numbers you call, and these are subject to the same access rules. This has never been a question, and most people in the US are probably at least marginally aware of this.

The real question isn’t whether someone is reading your email addresses and headers—it’s how they are interpreting the titles, subjects, and names of the people you are corresponding with. In the McCarthy era here in the US, you could be blacklisted for associating with the wrong people.

If you have an inquiring mind, would you want someone to judge you based on the titles of the books or publications you’re reading? Or the subjects and addressees of your email?

[2] The New York Times 30 July, 2010 — secondary report and opinion

A whole nother ancillary question is whether your ISP actually keeps these records or not. If they do not, are they then exempt from having to turn over any records, or will the government require that they keep such records in the future? Some ISPs intentionally do not keep certain kinds of records, which helps keep your use of certain services anonymous. And, for instance, I’d guess that very few ISPs, if any, keep records of your browsing history, and this makes it prohibitively difficult to document all of the web sites you’ve visited.

The post Who is looking at your email history? appeared first on Sky's Blog.

Clearly when there is warfare in the physical world the combatants are also likely to utilize cyber tactics of some sort, even if only for informational or propaganda purposes, but more likely as powerful tactics to take down their target’s ability to respond quickly or in a focused manner. Because governments aren’t really equipped to handle these types of attacks, which would include attacks against private infrastructure, not just government systems, they’d have to rely on private companies, individuals and groups — essentially private armies — to deflect or thwart any attack.

There are some problems inherent in cyber attacks that make any kind of defense really tricky:

* During a cyber attack against private or military targets online, one might not be able to determine whether the attacker is civilian, criminal or military;

* Online citizen militias (hackers motivated by patriotism) could be impossible to distinguish from organized military cyber-attackers;

* Collateral cyber-damage to (or the freezing of, or interference with) the economic mechanisms that make daily life possible could paralyze large areas if not whole countries; the idea that a government (say the President of the US under the proposed cybersecurity bill) could shut down key elements of the Internet for up to 120 days without legislative recourse[2], could be more dangerous than the attacks themselves;

* An ISP in any particular country (say the US, for example) might be conflicted about whether to allow a sudden flood of traffic to pass through its network to “attack” some foe, or whether to stop that flood in order to preserve its ability to serve  customers—in fact the ISP probably wouldn’t be able to tell the difference;

In a sense, were someone to “shut off the Internet,” which proponents say S 3480 does not allow, it would be suicidal, since the defenders would also lose their ability to communicate with each other and to thwart any attack. Turning off the Internet would not only deny your opponent a playing field, but would deny defenders the ability to respond. And the collateral damage would be that all financial, manufacturing, transportation and other systems that depend on the net would also shut down

Lots of room for debate, but clearly governmental agencies and legislatures are beginning to think about the necessary means and the possible limits of their actions.

[1] We the People of the United States, in Order to form a more perfect Union, establish Justice, insure domestic Tranquility, provide for the common defense, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.

[2] The Protecting Cyberspace as a National Asset Act of 2010; some fear that this bill provides a “kill switch” the President of the US could use to “turn off” the Internet;

[-] US Appoints first Cyberwarfare General in guardian.co.uk

[-] EU Committee in UK on protecting Europe against large-scale cyber-attacks

The post Private armies in cyberspace? A kill switch on the Internet? appeared first on Sky's Blog.

If you’re not a cyberspace expert and don’t care for geek talk, you may think it’s just another report on cyber espionage. But the messages are important for everyone. And my point is that they are very clearly explained!

Ron Diebert and Rafal Rohozinski, in their Foreward, point out that crime and espionage go together. Or that wherever one goes, the other is soon to follow.

They don’t say this directly—these are my words: Crime, espionage (and warfare) seep into the interstitial spaces of society and occupy any vacuum they find. And from there they can grow to occupy the whole of the space, like a mold, fungus, or rot.

What we are seeing in online attacks against free speech sites these days, particularly drive-by attacks^[1], is that they do not seem to be politically or idealistically motivated, instead they are opportunistic and (presumably) economically motivated because they’re focused on injecting spambots and trojans, not on altering the message of the nonprofit web site.

[1] See CyberSpark.net and click “drive-by” on that page

The post Why “Shadows in the Cloud” should open your eyes appeared first on Sky's Blog.

In prior years, attacks have been positioned to “take down” legitimate businesses by denying access to their sites [DDoS].^[2] Soon it was discovered (and is not widely exploited yet) that if an attacker simply hammers a site so hard that the defending organization has to dedicate more resources (read “money”) to defense, they can wear down the organization by depleting its budget and even its “will to stay alive online.” This doesn’t work if the attacker is just exploiting a site to drive traffic to its own illegitimate sales site, but it does work if the attacker’s intent is to take the organization down.

I already see evidence of small to medium attacks of the economic sort, and predict that we will see far more of them during the remainder of 2010 and 2011. I am working with NGOs now to prevent this type of “bad aftertaste” attack trend, and will report on how it’s going as I gather more information and evidence.

To get a feel for how much this is happening, see the StopBadware and the BadwareBusters web sites (forums where people are discussing these attacks and their remediation).

[2] (Distributed) Denial of Service attacks bog down the target web servers so they can’t respond to legitimate requests from customers. They make it impossible to reach the business or organization. In some cases, the attacker asks for a “ransom” payment to stop the attack, is other cases they conduct a short-lived attack to make a protest or prove a point, and in some cases they continue their attack long enough to have a direct economic impact on the target.

The post DDoS, EDoS, then “that bad aftertaste” appeared first on Sky's Blog.

The post Reclaim your Facebook privacy appeared first on Sky's Blog.

But the great firewall is already blocking Google.com.hk content, as would be expected.

We believe this new approach of providing uncensored search in simplified Chinese from Google.com.hk is a sensible solution to the challenges we’ve faced—it’s entirely legal and will meaningfully increase access to information for people in China. —David Drummond, Google

An experiment gone wrong: I’m glad they did this, but well, why didn’t they do it this way in the first place? Why all the hair-tearing and gnashing of teeth while making the decision, and then put an office and servers in mainland China in the first place, and now have to revisit the decision? Hmmm. To many executives I’ve worked with, that would be a terrible admission of weakness, but to engineers (and to more and more investors) it’s just something they tried that didn’t work, and so they moved on.

When it started (2006): Here’s a report from Human Rights Watch about the new Google.cn service, Race to the Bottom, written at that time.

The cantonization* of the Internet: Ultimately what I’m concerned about is that the Internet is fragmenting into  national enclaves or cantons where 1) content from “outside” is filtered or prohibited, and 2) what can be written by citizens is severely restricted. Most likely that’s not exactly what the early Internet developers were expecting in 1973. [also see canton]

What’s interesting to me, working on the edge of network security, is that the law-abiding citizens of many countries are going to be denied open access to information while hackers (who are “criminals” by their own national standards), who circumvent the technologies and the law, will probably have the most complete access to the wealth of information and communication taking place on the Internet. —Sky

Some good background viewing and reading on the issue:

Yeah, I’m calling it Cantonization rather than the traditional term, balkanization. I think it’s more appropriate to the Chinese situationcanton. [“Canton” comes from the Portuguese pronunciation of Guangdong, the Chinese province.]

What will happen if countries draw international borders on the Internet? [2008, Odeo, MIT] And some comments on Laitman.com

Apple’s iTunes, NPR, Barriers to Giving, and the “Appliancing” of National Boundaries [2008] Some materials can only be downloaded within certain geographical areas, and it may be illegal to take them into certain countries due to local restrictions (wipe your computer before you travel…)

Adrian Monck, Unrequired Reading – particularly the last part where he points out that Google is [December 2008] becoming able to negotiate with national governments on what will or won’t be done with respect to searches performed by residents of their countries.

The post Google Chinese-language search, Hong Kong, and Internet Cantonization appeared first on Sky's Blog.

But there are things you can do to protect yourself. NGO-in-a-box has developed Security-in-a-box, a set of tools and tactics for your digital security. Worth taking a look!

It’s often said that “if we can envision it, we can create it,” but in the world of computer (and network) software this is only partially true. We can attempt to create it, but it will always have bugs in it. And those bugs are the chinks in the armor that allow malware to work and cyberwarfare to succeed.

[2] See also The Social Graph of Malware, my site where I explore ways in which social engineering is used by the bad guys to get malware onto your computer.

The post No chance for true security? appeared first on Sky's Blog.

Here’s the punchline: I got a 3x improvement in speed on my cable broadband service, but had to find and avoid a technical problems that is probably a security feature. And the DOCSIS 3 standard and modem is great. Read on…

For months now, my Comcast broadband (delivered by cable, and very pricey here in the US—my French friends pay 1/3 what I pay for essentially the same service) has been flaky. It has been dropping out for a couple of hours at a time, at other times getting really slow. Comcast customer service was nice about it—they were happy to talk to me and to ‘reset’ the modem remotely each time I called, but the fix only lasted an hour or two.

Two nights ago, right at midnight, the cable modem stopped working entirely. I called Comcast and they said ”we can ’see’ the modem and it looks fine” but the indicator light was off and it just wasn’t transmitting any data. So they agreed I could swap it out for another modem.

The next afternoon I went to a local electronics store (Fry’s in Palo Alto) and bought a Motorola “SurfBoard” SB6120 modem. I’m not favoring Motorola here, although I used their mobile phones for over 15 years, and as a child in Illinois a good family friends were the brother and sister of Paul Galvin, founder of Motorola. It was just the one DOCSIS 3 modem that Fry’s had on the shelf. And the price was OK—higher than a DOCSIS 2, but the performance was supposed to be better.

And, well, it was better! A lot better.

DOCSIS^[1] 3 provides multiple channels, which it gangs together (called bonding) to give you higher speed from one cable connection. The cable operates at a bandwidth/frequency around 650mHz so it has plenty of bandwidth available (which is, of course, shared across users down the street from me, but sometimes it’s all mine!).

So when I plugged in the new modem (and after calling Comcast tech support, who provisioned it for me in about 5 minutes) I was up and running. I plugged my MacBook into the modem, got an IP address, tested, and found i was running at over 20mbs. Fantastic! A solid 20mbs.^[2]

Oh, and what was the surprise? Well, it turns out that the first device that you plug into “your” side of the modem is registered by that modem as its one and only router. Nothing else that you plug in after that is even recognized by the modem. (It apparently uses the MAC address of the Ethernet interface on the device to recognize which device is the one it will talk to.) So you have to be careful to power-cycle the modem if you plug in a new router (I was doing my testing using a MacBook plugged directly into the modem, but then plugged in a Linksys router, which couldn’t talk to the Internet through the modem until I power-cycled the modem). I guess this is a good security procedure, but if you encounter it when you’re installing a new modem, it could waste hours of your time—it took me 4 hours of my time, and an hour on the phone with Comcast, to figure it out.)

[1] The best source I found for DOCSIS 3 information was the Brady Volpe site. The actual DOCSIS spec is online in the DOCSIS section of the Cable Labs web site (warning: the DOCSIS site seems only to work in MSIE on Windows – Firefox doesn’t browse this particular page very well at all). This is probably more than you wanted to know?

[2] I use speedtest.net to check channel bandwidths.

The post Improved my Cable Broadband speed 3x (DOCSIS) appeared first on Sky's Blog.

Its clear that the decision to filter was tough. And it probably took less to get them to reverse the decision than if the original decision had been clear cut. The issues that I see are involved include these:

• Censorship – even if mandated by local laws;
• Censorship – on more universal grounds (such as censorship of hate speech, etc.);
• Increasing Chinese cyberaggression – hacking servers, looking for industrial secrets (supposed Chinese, because it’s almost impossible to really know);
• Aggressive attacks against minority communities and free speech advocates (cited by Google, but I’ve seen them personally);
• Drive-by malware insertions in free-speech web sites, and whether this is targeted or not;
• Whether an equivalent of the Geneva Protocol (which deals with weapons as opposed to prisoners) can be developed for cyberwarfare.

The Social Graph of Malware is a site I started a few months ago, and sporadically contribute to, that describes how social engineering contributes so much to the spread of malware. The Google incident that sparked their “reversal” decision to stop filtering (just a week ago) was largely a piece of social engineering. We have been seeing targeted attacks on the Tibetan exile community (and others) recently, utilizing social engineering tactics to get people to open poisoned files that then infect their computers. So I’ll continue to track the Google.cn issue on The Social Graph of Malware because of this connection.

The post Google.cn in again out again appeared first on Sky's Blog.

To our surprise, we learned earlier this year that the Adobe Reader processes JavaScript that can be embedded in its PDF documents. Once again, here in December 2009, another vulnerability allows JavaScript can be exploited to turn a PDF into a malicious piece o’ stuff.

The fault won’t be fixed until mid-January 2010. Big companies have long turnaround on fixing software. Yes, they have to test to be sure everything still works after they make a fix – but meanwhile we can’t safely open PDF documents unless we have JavaScript turned off.

The attack vector is to send a poisoned PDF file to intended target individuals, purporting to be “From: a friend” and hoping that they’ll open the attached PDF thinking that it’s safe. Wrong again. You won’t be caught by this, will you?

More on this attack on DarkReading.com.

The post Adobe Reader under attack again appeared first on Sky's Blog.

A virtual host looks like an actual server. You (or your programmer/sysadmin) can use it as if it were your own dedicated server. In fact, however, it is only a portion of a much larger server. Rackspace/Mosso, and Slicehost are two I’ve discussed and actually use. The focus is on the virtual server.

An automatically-scalable hosting solution is a service or set of services which are hosted on one or more computers, and you can’t actually tell how big the server is or for that matter, whether it’s a whole array of servers. The focus is on the virtual service (not the server itself).

What’s good: Virtual servers are a more secure environment than shared servers because you are only dependent on your own security efforts. (On a shared server, if another user picks a poor password, or doesn’t upgrade their PHP software when security upgrades are released, you can be hacked if their account is compromised.) Automatically-scalable hosts may also be secure in this same way if accounts are adequately protected from each other.

What’s bad: A root compromise of a virtual server may be possible. In fact, it’s probably inevitable that such things will happen. And if you don’t update your underlying software (like WordPress, for instance), they you’re likely to be in trouble anyway. So ultimately any server can be compromised.

I’ve written about “economic denial-of-sustainability” attacks, in which an attacker causes a cloud user to so scale up their server usage that it becomes economically impossible for the defender to survive. These wouldn’t be possible if there were no cloud computing.

The post Security in the Cloud – Matey, there be challenges ahead appeared first on Sky's Blog.