Posts Tagged ‘Security’

ElasticVapor :: Life in the Cloud: A Trusted Cloud Entropy Authority

Tuesday, August 4th, 2009

Ruv Cohen posted in his blog an intersting thought about a “Trusted Cloud Entropy Authority” ElasticVapor :: Life in the Cloud: A Trusted Cloud Entropy Authority

Gordon says “How about getting signed entropy from a trusted server on the network/internet?”

Gordon’s comments did get me thinking, maybe there an opportunity to create a trusted cloud authority to provide signed verified and certified entropy. Think of it like a certificate authority (CA) but for chaos. Actually, Amazon Web Service itself could act as this entropy authority via a simple encrypted web service call. I even have a name for it, Simple Entropy Service (SES).

This idea is very exciting and useful. However, if you are to classical CA’s thinking as e.g. “Web Server Certificate” field, then i believe only an independent CA guarantees in such a position, future potential of Cloud Computing without a provider lock-in. The provider lock-in here refers not only to the CA itself, but also to pave the CA by a certified Provider / Services. In my view, therefore the target must be to create a largely self-sufficient CA, which also allows small businesses and companies to be able to offer certified and therefore “trusted” Cloud Computing services and resources without an expensive certification process. If you think for example on  Amazon EC2 Images, it should be possible in future to continue creating an own AMI image but then also free from Amazon certify it. That would be a real added value – for Amazon as IaaS Provider and for us as AWS user and enabler.

The Anatomy Of The Twitter Attack

Monday, August 3rd, 2009

Found another quite interesting article on TechCrunch about “The Anatomy Of The Twitter Attack”
The Anatomy Of The Twitter Attack

A short quote of author’s conclusion:

What’s the takeaway from all this? Cloud services are convenient and cheap, and can help a company grow more quickly. But security infrastructure is still nascent. And while any single service can be fairly secure, the important thing is that the ecosystem most certainly is not. Combine the fact that so much personal information about individuals is so easily findable on the web with the reality that most people have merged their work and personal identities and you’ve got the seed of a problem. A single Gmail account falls, and soon the security integrity of an entire startup crumbles. So for a start, reset those passwords and don’t use the same passwords for different services. Don’t use password recovery questions that can easily be answered with a simple web search (an easy solution is to answer those questions falsely). And just in general be paranoid about data security. You may be happy you were.

I totally agree with that point of view. From my experience most users (private and business) use weak same passwords for different services.

For choosing and creating good and strong passwords follow this guide.