US Patriot Act OSCON2012 David Mertz

  • 594 views
Uploaded on

supplemental slides from https://www.slideshare.net/OReillyOSCON/us-patriot-act-and-implications-for-cloud-computing-data-privacy session

supplemental slides from https://www.slideshare.net/OReillyOSCON/us-patriot-act-and-implications-for-cloud-computing-data-privacy session

More in: Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
594
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
3
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. OSCon 2012: Cloud Computing & Data Privacy David MertzLets take this as our starting point: “No matter how paranoid you are, what theyre actually doing is worse than you can possibly imagine.” - Ralph J. Gleason (1917-75)
  • 2. OSCon 2012: Cloud Computing & Data Privacy David MertzOr to be specific: While misuse and abuse of the NSL power has been widely documented, the Obama administration [is seeking to allow] the FBI to demand even more records without court approval. [T]he administration proposed to expand the statute to allow the FBI to get Americans internet activity records without court approval or even suspicion of wrongdoing. http://www.aclu.org/national-security/doe-v-holder
  • 3. OSCon 2012: Cloud Computing & Data Privacy David MertzLets take an illustration from ActiveState:
  • 4. OSCon 2012: Cloud Computing & Data Privacy David MertzWhat security guarantee does this give us? It doesverify that the bytes that make up the VM receivedby the Cloud Host are those you intended.
  • 5. OSCon 2012: Cloud Computing & Data Privacy David MertzIf Cloud Host receives a National Security Letterthey might be compelled to inject code into your VM(and have a gag order against revealing they did so).
  • 6. OSCon 2012: Cloud Computing & Data Privacy David MertzIt would be nice if clever cryptography can let aprocess self-verify against code injection. But is itpossible in the face of a bad actor or a hostile law?
  • 7. OSCon 2012: Cloud Computing & Data Privacy David MertzIf the “Scanner” can vouch for itself, and it can pokeat the bytes inside other containers, this is sufficientto guarantee against injection attacks. How might itdo this? ● Public key authentication against secured machine? ● Response to random queries of its own memory image? ● Response to random timing challenges to demonstrate known behavior? ● OS authentication of scanner? (but VM could inject into OS)
  • 8. OSCon 2012: Cloud Computing & Data Privacy David MertzAs can the audience, I can quickly poke holes ineach of the methods in the last slide. On the otherhand, I am not certain this quest is quixotic.Inspirations: ● GPG/PGP: RSA lets me to send messages over insecure SMTP with assurance that only the intended recipient has access. ● Freenet: I can participate in a peer-to-peer data network without having even the capability of revealing or determining which content my node helps share.
  • 9. OSCon 2012: Cloud Computing & Data Privacy David MertzEven if a “Scanner” is possible with the desiredproperties, it does nothing whatsoever to protectagainst attacks on applications within containers.App-level security is a distinct issue. ● If code running in a container is the binary intended (i.e. no injection), it may still needs to encrypt connections/stored data/etc. per app requirements. ● App-level software has known and unknown attacks. The best we are hoping for is “no worse than” hosting an application on privately controlled hardware.
  • 10. OSCon 2012: Cloud Computing & Data Privacy David Mertz “No matter how paranoid you are, what theyre actually doing is worse than you can possibly imagine.” - Ralph J. Gleason (1917-75) Ideas?