Ridiculously Stupid
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Display list of topics
Sarah's Resources You Should See
Sarah's Blog Buy Sarah's Pictures
Full-Text Search & Archives
Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.


The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

Considering sending spam? Read this first.

2018-03-07 07:00 by Karl Denninger
in Stupidity , 126 references Ignore this thread
Ridiculously Stupid
[Comments enabled]

This is just flat-out stupid.

Outrageously so.

In early February, a small Virginia-based company—REAN Cloud—that partners with Amazon Web Services announced a nearly $1 billion deal to provide cloud computing services for the Defense Department.

The stupidity isn't in the form of letting a contract like this to a company that formerly has only done single-digit millions worth of business with the government before, and has only $70 million of gross revenue -- in other words, an expansion of nearly ten times its allegedly-proved capability to execute.

That would be bad enough.

No, the real stupid is that the Pentagon is obviously putting data that is not intended for immediately and full public consumption in the cloud in the first place.

As I have repeatedly pointed out anyone with hypervisor access can access anything running on any instance of any VM on that machine.

There is utterly no ****ing way that the Pentagon can, has, or will actually vet every single person within Amazon's AWS unit that has such access, nor that they can control the hiring and firing of same or in any way pre-clear anyone who the firm is considering hiring.

Yet this is utterly essential for even the most-rudimentary concept of "security" around said data and ignores the risk of outside threats from other users, which we also know is real (and which, I remind you, became "much more real" with Meltdown and Spectre, flaws that have been present in all Intel processors made over the last decade.)

Now allegedly those flaws have been patched.  I say allegedly because we don't know if they have in all cases, we don't know if they can be in all cases, and what's worse there is no reason to believe these are the only such flaws.

I have data in the "cloud", including this blog.  But nothing that I am unwilling to have some random jackass able to find it in the cloud.  Since I publish this blog for the consumption of the public I really don't care one whit whether someone "steals" that data, since the entire point of publishing it is for people to see it.  I would be mildly annoyed if someone was able to penetrate the "expiry" of articles, for example, but the fact still remains that I wrote and intended them for public consumption, so.... big deal.

But Pentagon data?  Tell me once again what isn't at least modestly sensitive and not for public disclosure that the Pentagon does!

Operational and execution risk here is ridiculous, but what's even worse is the utter and complete ignorance and stupidity that drove this decision in the first place.

View with responses (opens new window)