Category Archives: Security

History, Security

The Cloud Race

Leave a comment

I have been trying to spread a specific story-line about cloud since I cooked it up for my BSidesLV presentation “2011: A Cloud Odyssey”.

Now each time I present at another conference several people come up and ask me for a copy of Cloud Odyssey and more insight into what I see as the core security issues for cloud.

So, soon I will post the 12M PDF of the 165 slide epic. It lacks all the animation and such, but perhaps it will still be handy as a reference to those who attended.

And here is my abridged take on the amazing opportunity that lies before us. My father’s generation of engineers focused on the Space Race — to put an astronaut on the moon. Overcoming the risk of space travel became a national obsession.

The cloud industry for my generation has brought to my mind several parallels to the space race. We stand at the edge of developing new and better ways to safely launch workloads into a high-risk environment. This is really just the beginning of the hyper environment. Those with lesser value assets at risk may have been able to launch first, just like sputnik had no pilot. The real test is to put our highest-value assets in a container that enables not only survival in cloud but also supports advanced procedures.

Kubrick’s movies pointed to serious downsides to centralized trust and automation. We are unlikely to prove this wrong. In fact, as I pointed out at BSidesLV, I did not pay Richard Bejtlich any money or prompt him to tweet like he was United States Air Force Brigadier General Jack D. Ripper during my Dr. Stuxlove presentation at BSidesSF. I could not have planned a better reaction. He fell into that all on his own and probably never realized the amazing irony.

My next several presentations (RSA Europe, RSA Beijing, ISACA SF) will draw on the space race parallel story in more detail. I will explain how to best reduce risk before you launch into the cloud and/or how to avoid the HAL effect once you are there.

Security

Gamers crack AIDS puzzle

Leave a comment

The news is about some amazing efficiency in solving problems found by using a “protein folding game” called Foldit.

Researchers have for over a decade been unable to solve the structure despite using many different methods. Even recently, the protein-folding distributed computer program Rosetta@home that uses thousands of home computers’ idle time to compute protein structures, was not able to give an answer. The Foldit players using human intuition and three-dimensional pattern-matching skills, however, were able to solve the problem within days.

The scientific article published by Nature Structure & Molecular Biology (“Crystal structure of a monomeric retroviral protease solved by protein folding game players”) concludes with some amusing analysis by the scientists.

The critical role of Foldit players in the solution of the M-PMV PR structure shows the power of online games to channel human intuition and three-dimensional pattern-matching skills to solve challenging scientific problems. Although much attention has recently been given to the potential of crowdsourcing and game playing, this is the first instance that we are aware of in which online gamers solved a longstanding scientific problem. These results indicate the potential for integrating video games into the real-world scientific process: the ingenuity of game players is a formidable force that, if properly directed, can be used to solve a wide range of scientific problems.

This reminds me of both my high school chemistry and physics teachers who would always start lab work by saying something like “now, let’s make this fun”. So the first question I get from this story is why it has taken the scientific community so long to recognize the power of channeling human intuition through an interface that doesn’t suck.

I have my theories, of course. When I worked on systems used for digital imaging and communications in medicine (DICOM), and more specifically on radiology technology, I found an odd dilemma in the medical field — the most advanced interfaces were the least desired by highly-trained practitioners.

Medical researchers had me deploying new Irix workstations with high-end graphic processors to develop 3D fly-through capabilities of the human body. After a CT or an MRI scanner was done taking images in “slices” of the body these Unix systems would put all the images back together again into a virtual human. The researchers expected doctors to jump at the chance to use 3D.

To the untrained eye, let alone a gamer, the ability to fly through a patient’s body looked like a fantastic advance in medicine. However, when surgeons and radiologists sat down to look at the big screens (20 inches was big back then) they were unimpressed.

I’ll never forget one late evening when a surgeon rushed in for a pre-op debriefing. I was called in for support, and I stood behind him as he scrolled around the 3D body. Then he said “I can’t use this nonsense”, stood up, and walked over to a wall of old fluorescent-lit white boxes covered in greyscale film images of the brain. He scanned the wall, made some “mmm hmmm” sounds and left.

I stared at the wall of “slices” of the brain. There were literally hundreds of pictures that the surgeon had to put back together in his mind. It seemed like an impressive skill but it also made me wonder why the ability to put a 2D world into 3D would prevent the ability to see in 3D.

That’s a long way of getting to the point that the history of doing things a particular way in medicine creates ruts of reliability. It takes a long time, perhaps even years, for the industry to assess, approve and then adopt technology that a gamer might take less than 24 hours to try and like.

Anyway, this story reads to me like the scientific community has finally found a way to do what others have been doing for years — leveraging gamers to solve problems. And who better to solve 3D problems than people who are highly trained in 3D visualization? That being said I also noticed a slight dig against gamers in the phrase “ingenuity of game players is a formidable force that, if properly directed”.

Are we to believe that gamers are not a formidable force if undirected, or that their own direction is not as formidable as one led by scientists? Seems to me the scientists are the ones who were in need of direction.

Poetry, Security

Kwame Dawes on Breaking in to the Theater

Leave a comment

The University of Nebraska at Kearney’s new hire in poetry does not hide the fact that he started out as a hacker:

Poet Kwame Dawes shared selections from his collection of 15 published books along with the stories behind the poems Thursday.

“I learned to write for the theater by befriending all the janitors and security guys in the theaters in Kingston,” the former Jamaican resident said. “I couldn’t afford tickets, so the janitors would let me in so I could watch rehearsals.”

Here is his poem “Storm” for the Pulitzer Center on Crisis Reporting

History, Security

Today in History: The Battle of Antietam

1 Comment

Early in the morning on this day in 1862 soldiers of the Union stopped the Confederate offensive march north at the creek of Antietam in the fields of Maryland.

Soon we began to hear a most ominous sound which we had never before heard, except in the far distance at South Mountain, namely, the rattle of musketry. It had none of the deafening bluster of the cannonading so terrifying to new troops, but to those who had once experienced its effects, it was infinitely more to be dreaded. These volleys of musketry we were approaching sounded in the distance like the rapid pouring of shot upon a tinpan, or the tearing of heavy canvas, with slight pauses interspersed with single shots, or desultory shooting.

Nearly 100,000 men were ready to fight throughout the day. As the sun set only 77,000 were standing and 4,000 lay dead — the most casualties in one day in American history.

The majority of the Union effort was amassed at the center of the battlefield while smaller groups attacked first on the left, then center, and then the right. Their plan was to push in from a flank and only then drive forward with a numerical advantage. The initial attacks were mostly unsuccessful in making ground, however, and so the Union’s largest division never was fully engaged. The Union General was conservative and slow to react, despite having acquired a paper copy of the Confederate battle plans.

The Confederates then abandoned their offensive and retreated at night. This is believed to have been enough of an end to their march north that President Lincoln was able to issue the Emancipation Proclamation a few days later. Two months later, the Union General in charge at the Battle of Antietam was removed for failing to pursue the Confederates and win more decisively.

Update: Some interesting details in this video on how the battle set the stage for the President to renounce slavery