The National University of Singapore has announced the winner of a 24-hour coding competition. Here’s the goal:

…a 24-hour programming competition, encourages students and faculty to develop customized applications that advance the search and discovery process of scientific information.

So you might be thinking there would be some cool new scientific tools being developed. Maybe students have added perspective and a new way of thinking about problems, based on data discovery? No, instead the winner is a Google modification — a search engine that ranks scientific papers based on reputation.

First place: Zhao Shanheng and Zhong Zhi, of NUS, developed the iRank Apps, an application which ranks institutes by the number of papers returned in the top search results. This tool can help students decide where to apply for their PhD or pursue postdoctoral research in their chosen field.

Google’s reputation-based system has advantages, but it also has risks. It requires you to trust external sources of verification — the peer-review system depends on the quality of the peers. That seems highly unscientific. It’s a second-person or even third-person view of data.

So the first place award goes to an app that tells you what the search engines tell you about what the peers tell you about papers from institutes. It is a popularity contest app that is at least three steps removed from an actual review of source material.

The huge irony, of course, is that the contest appears to have had a controlled/trusted system to determine the winner. How quaint. Perhaps they should have instead thrown the apps into public search engines and let the one that hits the top search results win. Otherwise, I would say their decision to review and vote for iRank App in a closed system contradicts the mission of the iRank App…

I have been asked a few times about details of the Federal track at VMworld this year in Las Vegas so I thought I would just post the information here for convenience.

Note that all the Federal sessions are security and/or compliance related:

Session ID and Title

• CAP1992 Building Resilient, High Performance, Distributed Applications that are Data-Intensive
• SEC1544 Compliance and Trust in the Cloud
• SEC1747 Desktop Security Zones with VMware View and vShield App: A Reference Architecture Review
• SEC1980 Department of Defense Reference Architecture using vShield
• SEC2114 Customer Panel: Ensuring Compliance in a Virtual World
• SEC2162 Achieving a Trusted Cloud
• SEC2192 Case Study: Building a Virtual Data Center at the Department of Homeland Security to Meet FISMA Moderate to High Data Security Requirements
• SEC2942 Building Trusted Clouds – Proof Points not Promises
• EUC1988 Case Study: Using VMware View to Strengthen Disaster Response Systems for Federal Agencies
• SEC2284 Securing Government Virtual Environments: Part II
• EUC2048 Panel Discussion: Modernizing the Desktop to Provide Better Business Continuity while Reducing Operational Costs for State and Local Government

Aside from helping prepare some of the compliance sessions I am presenting on the art of applying penetration testing skills to the cloud. And I’ve been asked to sit on a PCI expert panel. Hope to see you there:

• SEC1236 Penetration Testing the Cloud
• SEC2484 PCI-DSS Compliant Cloud—Design and Architecture Best Practices

Come see how far things have progressed since the early days of VMware

Today I received an email “newsletter” from the CEO of Townsend that announced a new product for database encryption:

Today we are excited to announce the availability of our new Alliance Key Manager for SQL Server (AKMSS). AKMSS is a Hardware Security Module (HSM) for encryption key management that protects access your encryption keys.

A quick look at the specifications, however, and an odd gap appeared between the marketing language and the actual product.

First, they seem to have stretched the phrase “Hardware Security Module” (HSM) to mean software running on a standard Linux x86 system. It used to be that an HSM had a specific meaning for cryptography. Wikipedia, a general reference, gives us this:

[HSM] are physical devices that traditionally come in the form of a plug-in card or an external TCP/IP security device that can be attached directly to the server or general purpose computer. […] The tamper evidence, resistance, and response — tamper protection — are the key and major differences HSMs have from usual server computers acting as cryptographic accelerators.

The Townsend product does not appear to meet the basic definition of an HSM.

Second, Townsend themselves say on their product specification page they have achieved validation only to NIST FIPS 140-2 Level 1. So they only use software-based security to protect the keys. FIPS 140-2 Level 1 by definition implies a software-based crypto-module since crypto-hardware certification begins at Level 2. A quick check of the NIST FIPS Validated Modules list page reveals item #1449 has the following text:

When operated with the Red Hat Enterprise Linux 5 OpenSSL Cryptographic Module validated to FIPS 140-2 under Cert. #1320 operating in FIPS mode (approved algorithms retested on listed operating environment)

Townsend’s “HSM” thus derives its FIPS security from an open-source OpenSSL software module, which previously achieved FIPS certification due to open-source community efforts — an OpenSSL crypto-module is their source of FIPS certification. That’s a good start but use of this crypto-module when not in FIPS mode would negate their FIPS-certified security.

Note: search for the string 1320 on the NIST list page will show many companies derive their FIPS certification from OpenSSL, including IBM (see #1433).

Townsend Security makes a good case for the need for an HSM in the market, and that does not yet appear to be what they are offering to sell from their own product specification. It reads like a software-based key-management system, offering OpenSSL for FIPS security, running on a Linux system. That does not rise to the same level of security that even a TPM would provide, let alone a FIPS 140-2 Level 2 or above certified cryptographic hardware security module.

They suggest this product is a solution for compliance, but buyer beware. I find their marketing material to mislead by equating low and high security levels:

Certified Solutions Ensures the Highest Level of Compliance with Regulations

Alliance Key Manager for SQL Server 2008 is certified to the FIPS 140-2 Level 1 specification.

Level 1 is the highest level? Um, no. Level 1 provides the lowest level of compliance with regulations. And they say it ensures…let’s not even go there.

A recent interview I gave has turned up in a SearchCloudComputing.com column:

…GovCloud is an admission by Amazon that it cannot modify its entire cloud so it will isolate data and applications completely. Instead, it has to carve it up.

History shows us that most breaches come from out of scope, “isolated” systems that are not truly separate. The attackers enter through a back door, a system that’s connected to the backplane for emergency use only but gets them into the rest of the network. Could a contractor who is not a U.S. citizen get in under ITAR? Is Amazon hiring separate administrators to run GovCloud?

AWS itself admitted that the major outage of its Elastic Block Storage service in April happened because it did not have good separation of systems. Has it just created a false sense of separation between the GovCloud secure zone and the rest of AWS? It’s certainly given potential attackers something to look for.

I actually said Amazon chose not to modify its entire cloud. They probably had the option to make AWS secure enough to comply with ITAR but apparently it was not worth the expense, so they chose to reduce exposure to the compliance requirements through segmentation. The first thing that jumped into my mind is whether they will charge a premium to be in GovCloud — charge more money to guarantee that employees are U.S. citizens. Otherwise, who in the U.S. wouldn’t want to move all their workloads into GovCloud?