irldexter

Tuesday, November 27, 2007

Note on Virtualisation and RANT

Virtualisation lowers certain overheads and increases flexibility and modularity.

Virtualisation does not address SECURITY until whole system images are checksum'ed and rotated in a defensive time-based security method/model, including the abstraction layer and hardware playing a key role in defenses as well.

I have mused over this before here http://bsdosx.blogspot.com/2006/11/machine-and-service-integrity.html

As Theo De Raadt mentions over at http://kerneltrap.org/OpenBSD/Virtualization_Security;

"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

On a side note, I'd like to repeat the below, courtesy of me;
"Everything will be a server, client and fast cache. The P2P model will win. It's the only thing that can. More "zeroconf" is needed. There seems to be no margins for error, tolerances or defensive programming anymore. What gives someone the right to call themselves a software "engineer" anyway?"

I'll post shortly on my new idea regarding regulation of business IT and an IT TAX to force enumeration, visibility and accountability.

Some time soon, I'll get back to IT security. Currently I am working in other areas and departments and re-learning about the human side and realities in which we all operate. The disconnect is massive. The cowboys operating in IT Security are very disheartening to me. The idiots and "old-guard" on both sides of the fence worry me. So many people have no clue of the complexity, and will never grok it. We need to simplify and innovate.

We need to regulate our "industry" somewhat without stifling innovation. Perhaps the Universities should take some of the blame in turning out ignorant coders who don't understand networking or security.... perhaps, perhaps not..... it remains to be seen. I can only talk from experience, and my experience in Uni taught me nothing; other than I hated coding and ignored my networking lecturer. I got a degree in Computer Science, I crammed before all exams, some days not even knowing what exam was on that day until I asked my colleagues. All Comp Sci did was pique my curiosity, I might as well have stayed in the Uni bar *all* the time. This might just be my personal version of "learning" at Uni (I like to call it regurgitation), but 99% of my tech was learned on the job ;)

How did I become so bitter and twisted? Am I really? Surely I am an optimist at heart?

Once we see the COMPLEXITY we harken after SIMPLICITY in all matters in life.



Sunday, November 18, 2007

Damn straight... but sorta' bendy

From Drazen comes this snippet of a quote from Computerworld interviewing the legendary Frank Abagnale of 'Catch me if you can?' fame:

"Computerworld Staff: Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people?

Frank Abagnale: There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect.

Computerworld Staff: Any thoughts on how we can bring that change about?

Frank Abagnale: I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated.

There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes."

There seems no mandatory or enforceable cost anymore for performing an act that is detrimental to the health of the net or its component systems. Our super-organism(internet) is being eaten from the inside out while we don't realise nor appreciate the symbiotic relationship we have created between man and machines.

Who is held accountable and how, when we can't even agree upon nor incentivise actions to help protect our immediate and more fragile internetwork, the green planet we call home. I had a few ideas here: Some cud, but I still wonder about the fact that there are too many humans, just ask Mr. Malthus!



Twitter'ish musings...

    Come join me on Twitter