Your SlideShare is downloading. ×
US Patriot Act OSCON2012 David Mertz
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

US Patriot Act OSCON2012 David Mertz

648
views

Published on

supplemental slides from https://www.slideshare.net/OReillyOSCON/us-patriot-act-and-implications-for-cloud-computing-data-privacy session

supplemental slides from https://www.slideshare.net/OReillyOSCON/us-patriot-act-and-implications-for-cloud-computing-data-privacy session

Published in: Technology, Business

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
648
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. OSCon 2012: Cloud Computing & Data Privacy David MertzLets take this as our starting point: “No matter how paranoid you are, what theyre actually doing is worse than you can possibly imagine.” - Ralph J. Gleason (1917-75)
  • 2. OSCon 2012: Cloud Computing & Data Privacy David MertzOr to be specific: While misuse and abuse of the NSL power has been widely documented, the Obama administration [is seeking to allow] the FBI to demand even more records without court approval. [T]he administration proposed to expand the statute to allow the FBI to get Americans internet activity records without court approval or even suspicion of wrongdoing. http://www.aclu.org/national-security/doe-v-holder
  • 3. OSCon 2012: Cloud Computing & Data Privacy David MertzLets take an illustration from ActiveState:
  • 4. OSCon 2012: Cloud Computing & Data Privacy David MertzWhat security guarantee does this give us? It doesverify that the bytes that make up the VM receivedby the Cloud Host are those you intended.
  • 5. OSCon 2012: Cloud Computing & Data Privacy David MertzIf Cloud Host receives a National Security Letterthey might be compelled to inject code into your VM(and have a gag order against revealing they did so).
  • 6. OSCon 2012: Cloud Computing & Data Privacy David MertzIt would be nice if clever cryptography can let aprocess self-verify against code injection. But is itpossible in the face of a bad actor or a hostile law?
  • 7. OSCon 2012: Cloud Computing & Data Privacy David MertzIf the “Scanner” can vouch for itself, and it can pokeat the bytes inside other containers, this is sufficientto guarantee against injection attacks. How might itdo this? ● Public key authentication against secured machine? ● Response to random queries of its own memory image? ● Response to random timing challenges to demonstrate known behavior? ● OS authentication of scanner? (but VM could inject into OS)
  • 8. OSCon 2012: Cloud Computing & Data Privacy David MertzAs can the audience, I can quickly poke holes ineach of the methods in the last slide. On the otherhand, I am not certain this quest is quixotic.Inspirations: ● GPG/PGP: RSA lets me to send messages over insecure SMTP with assurance that only the intended recipient has access. ● Freenet: I can participate in a peer-to-peer data network without having even the capability of revealing or determining which content my node helps share.
  • 9. OSCon 2012: Cloud Computing & Data Privacy David MertzEven if a “Scanner” is possible with the desiredproperties, it does nothing whatsoever to protectagainst attacks on applications within containers.App-level security is a distinct issue. ● If code running in a container is the binary intended (i.e. no injection), it may still needs to encrypt connections/stored data/etc. per app requirements. ● App-level software has known and unknown attacks. The best we are hoping for is “no worse than” hosting an application on privately controlled hardware.
  • 10. OSCon 2012: Cloud Computing & Data Privacy David Mertz “No matter how paranoid you are, what theyre actually doing is worse than you can possibly imagine.” - Ralph J. Gleason (1917-75) Ideas?

×