****
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-05-04 18:51 by Karl Denninger
in Technology , 510 references Ignore this thread
****
[Comments enabled]

smiley

One of the Spectre-NG flaws simplifies attacks across system boundaries to such an extent that we estimate the threat potential to be significantly higher than with Spectre. Specifically, an attacker could launch exploit code in a virtual machine (VM) and attack the host system from there – the server of a cloud hoster, for example. Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap. Intel's Software Guard Extensions (SGX), which are designed to protect sensitive data on cloud servers, are also not Spectre-safe.

smiley

Every one of you stupid bastard firms -- and governments -- that have put your crap in the cloud have already had it stolen along with all of your encryption keys.

If you think hostile governments don't know already know about and haven't been actively exploiting it for quite some time by now you're dumber than a box of ****ing rocks.

YOU WERE WARNED ABOUT THIS **** SEVERAL YEARS AGO ON THIS BLOG AND THERE IS NO WAY TO FIX IT OTHER THAN TO GET YOUR DAMNED DATA BACK IN YOUR OWN BUILDING AND PROCESS IT THERE WHERE NOBODY BUT YOUR AUTHORIZED PEOPLE RUN CODE ON THAT BOX.  IT WILL BE YEARS, IF NOT DECADES, BEFORE THE PROCESSOR MANUFACTURERS RE-ARCHITECT EVERYTHING SO THAT SECURITY IS MORE IMPORTANT AND WHEN THEY DO THE PERFORMANCE WILL BE A FRACTION OF THAT AVAILABLE BY NOT DOING SO.

IF YOU GIVE A SINGLE **** ABOUT DATA SECURITY CLOUD IS, AS OF RIGHT NOW, DEAD, BURIED, AND RADIOACTIVE WASTE.

Go to responses (registration required to post)
 

 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
User Info **** in forum [Market-Ticker]
Asimov
Posts: 109861
Incept: 2007-08-26

East Tennessee Eastern Time
Report This As A Bad Post Add To Your Ignored User List
I don't know that I believe this, but it definitely drifts through my mind every time I see an article about this whole pile of crap "security."

I wonder if it isn't an intentional flaw engineered by the government that just happened to get discovered by somebody(s) else.


----------
It's justifiably immoral to deal morally with an immoral entity.

Festina lente.
Tinman
Posts: 309
Incept: 2008-02-16

Report This As A Bad Post Add To Your Ignored User List
Ten years ago a colleague of mine told me that if I don't embrace the cloud I would be out of work. I told him that one day a big wind will come and blow the cloud away. I believe that day is approaching.

Chaparral
Posts: 358
Incept: 2007-09-11

Los Angeles
Report This As A Bad Post Add To Your Ignored User List
Hmmm. So it's time to short cloud storage firms? Or will no one give a **** and they'll all gap up 8% next trading day....
Azengrcat
Posts: 438
Incept: 2010-05-31

Report This As A Bad Post Add To Your Ignored User List
Ill ask some basic questions:

1. Can the cloud customers sue for data loss/leaks?
2. If the customers can sue, will Amazon go bankrupt?
3. Will Trump be forced to bailout Amazon?
Supertruckertom
Posts: 1928
Incept: 2010-11-07

USA
Online
Report This As A Bad Post Add To Your Ignored User List
Wondering if the Fed Gov employees personal information is on an AWS cloud storage system somewhere?

That would be tremendous leverage in any battle against government overreaching legislation.

What Chinese hacker do I buy the data from?


It is probably already out there.



----------
Preparing to go Hunting.
Lanny
Posts: 75
Incept: 2010-12-21

Canada
Report This As A Bad Post Add To Your Ignored User List
Karl I don't understand.
Can you explain it in layman terms?
Tickerguy
Posts: 152824
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
@Lanny -- it's entirely possible to break into the Hypervisor (management system) of a cloud machine. You can also break into the other (other customer's!) VMs running on the same machine.

If you can get to the Hypervisor you can get to anything. It matters not that you have the files stored encrypted, since you must have the keys on the machine to use them, and that means if I can steal them while they're being used you're ****ed -- now and forevermore.

The essence of this is that no data on a cloud machine is secure, ever, period.

----------
Winding it down.
Unknownsailor
Posts: 456
Incept: 2009-04-06

Bremerton, WA
Report This As A Bad Post Add To Your Ignored User List
I'm in a CompSci program as a state school, and the topic of cloud comes up every now and then. I always hit cloud acolytes with "if your data is not on hardware you own, in your own building, you don't own that data, someone else does."

This article will make a great bullet point. Own the hypervisor, own the child install.
Spanktron9
Posts: 4354
Incept: 2009-03-13

Reality.
Online
Report This As A Bad Post Add To Your Ignored User List
"If you can't stand in front of it with a rifle and defend it, you don't own it." -Unknown

----------
"Winter is coming." -Motto of House Stark
"Don't coast through life. Grab it by the hair and **** it half to death." - Jotapay
"Strong people are harder to kill than weak people, and more useful in general" - Mark Rippetoe
"Its like Calvinball."-MarvinMartian
Elkad
Posts: 400
Incept: 2009-09-04

Report This As A Bad Post Add To Your Ignored User List
I get unsolicited sales calls from cloud service companies fairly often.

My response is always the same. "No way am I storing MY data on someone else's hardware". They used to give a scripted rebuttal, at which point I'd hang up on them.

Lately, even they seem to realize they are selling product to suckers. I've gotten a fair amount of "OK, goodbye" instead of a rebuttal recently.
Whitehat
Posts: 434
Incept: 2017-06-27

The People's Republic of New York
Report This As A Bad Post Add To Your Ignored User List
the problem is that once the data became not secure it is forever "out there." and some data has a very long useful life in terms of secrets. the issue to be feared most are the security breaches that were never discovered or discovered after a long time. now the scope of the problem has unknowns. perhaps these escapades actually rise to the level of actual hacks, although it is probably simpler to have some agent employed at a cloud firm access the keys. the keys are a funny thing as this affects the security of old stuff for which they apply, thus breaking security retroactively.

it is guaranteed that really serious stuff never made it to the cloud, however very few people are ever considered that valuable. if data breaches compromise people who served or risked a lot, there is little to no concern over the consequences to them, forget about the the general public, for no other reason than it is not considered important enough in the grand scheme. it is a big picture thing that is known personally.

----------
There are two ways to be rich: One is by acquiring much, and the other is by desiring little.
snow, seasons, distance and dirt roads: SSDD
"Be not deceived; God is not mocked; for whatsoever a man soweth, that shall he also reap" (Gal. 6:7)
Idiom
Posts: 133
Incept: 2015-02-20

New Zealand
Report This As A Bad Post Add To Your Ignored User List
If anyone gave a **** about security Blackberry would be the king of cellphones.

Nobody cares. Until the is jail time for executives who are reckless with data, nobody will.

For now security lies in being a smaller, maybe slightly more annoying target. Or being too boring. That's about all we have.
Redjack
Posts: 53
Incept: 2018-01-29

Iowa
Report This As A Bad Post Add To Your Ignored User List
My current company is moving to centralized servers located in Michigan. I still do most of my work on "my" laptop, and not in the Citirx environment.

I do my own backups, and police my own data. The IT geek keeps telling me that it is a risk for corporate espionage doing that (he said someone could steal my laptop). I told him "Why would they do that? Their data is on the same servers and I would bet that our competitors have either taken a look, or are thinking about it".

IT is now trying to bring all the data "in house".

But no one really cares about security. Nothing on a server is really secure.
Ckaminski
Posts: 4624
Incept: 2011-04-08

Mass-Hole!
Online
Report This As A Bad Post Add To Your Ignored User List
Quote:
Nothing on a server is really secure.


Security is inversely related to the number of people that have access to it.

Elcope
Posts: 82
Incept: 2010-02-24

Montana
Report This As A Bad Post Add To Your Ignored User List
There is no such thing as "the cloud", there is only other peoples computers, or your own.
Login Register Top Blog Top Blog Topics FAQ