Tuesday, November 27, 2007

Note on Virtualisation and RANT

Virtualisation lowers certain overheads and increases flexibility and modularity.

Virtualisation does not address SECURITY until whole system images are checksum'ed and rotated in a defensive time-based security method/model, including the abstraction layer and hardware playing a key role in defenses as well.

I have mused over this before here http://bsdosx.blogspot.com/2006/11/machine-and-service-integrity.html

As Theo De Raadt mentions over at http://kerneltrap.org/OpenBSD/Virtualization_Security;

"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

On a side note, I'd like to repeat the below, courtesy of me;
"Everything will be a server, client and fast cache. The P2P model will win. It's the only thing that can. More "zeroconf" is needed. There seems to be no margins for error, tolerances or defensive programming anymore. What gives someone the right to call themselves a software "engineer" anyway?"

I'll post shortly on my new idea regarding regulation of business IT and an IT TAX to force enumeration, visibility and accountability.

Some time soon, I'll get back to IT security. Currently I am working in other areas and departments and re-learning about the human side and realities in which we all operate. The disconnect is massive. The cowboys operating in IT Security are very disheartening to me. The idiots and "old-guard" on both sides of the fence worry me. So many people have no clue of the complexity, and will never grok it. We need to simplify and innovate.

We need to regulate our "industry" somewhat without stifling innovation. Perhaps the Universities should take some of the blame in turning out ignorant coders who don't understand networking or security.... perhaps, perhaps not..... it remains to be seen. I can only talk from experience, and my experience in Uni taught me nothing; other than I hated coding and ignored my networking lecturer. I got a degree in Computer Science, I crammed before all exams, some days not even knowing what exam was on that day until I asked my colleagues. All Comp Sci did was pique my curiosity, I might as well have stayed in the Uni bar *all* the time. This might just be my personal version of "learning" at Uni (I like to call it regurgitation), but 99% of my tech was learned on the job ;)

How did I become so bitter and twisted? Am I really? Surely I am an optimist at heart?

Once we see the COMPLEXITY we harken after SIMPLICITY in all matters in life.

1 comment:

Anonymous said...

Understand the complexity, pursue the simplicity.

And like the good car driver, presume everyone else on the road is an idiot, and make allowances accordingly. I was nearly going to say take evasive action but that makes it sound a bit like the bumpers (dodgems in Queen's Endlish).

Comments on Uni noted.