Hey you, get off of my cloud

In the software business,we’ve stolen a lot of words from nature.

We’ve nicked your trees, branches and leaf nodes.

We’ve had viruses and paths.

 So it perhaps won’t be a shock to know that we’ve just carried out a hit-and-run with another one – The Cloud.

 Since the public got onto the internet in the mid to late 1990s, companies joined them in trying to find ways to make money. And up until the last couple of years, this was easy – you were either a bricks-and-mortar retailer with a new outlet, like Argos, or you started the same thing, but without the physical presence of a bricks-and-mortar store, like Amazon.

The infrastructure was always yours; you had your own servers, they held your data, and you scaled up the hardware and software accordingly.

 It was the breakthroughs in semiconductors that made it all possible – you may remember someone saying “A computer on every desktop”. It was a revolution designed to put power into the hands of every user, and it was a promise that the major vendors were happy to sell to us.

 Up until now.

If you’re old enough to remember back to the late 1970s, and indeed the early 1980s, if you wanted time on a computer, you booked time on a machine, typically a mainframe, and all of your code and data resided there. You accessed it on a dumb terminal, in my case a DEC VT220, did your kung-fu, and then got a message 5 days later that your program had failed to compile because you’d missed a colon at line 355. And then the mid/late 1970s hit.

Suddenly, we could all have machines to OURSELVES, we could write whatever we wanted, put whatever we wanted on the machines, and they were OURS. IBM was incensed, but at the same time, grateful, because even though the likes of Apple had attracted the hobbyists, they also had a machine that could provide you with your own computer system – and because it had the IBM badge, your boss would sign off of the purchase request. The mainframe model was broken, it was power to the people, and things would never be the same again.

Or would they…?

 Let’s spin on 35 years.

Living in 2009, most people simply can’t imagine what the computer world was like 30 years ago.

But they’re about to get it again. I

t’s called Cloud Computing, and like the name it stole, it looks nice and fluffy, but is full of potential rain and thunderstorms.

Breaking The Law

Almost everyone who uses computers today has heard of Moore’s Law, even if they don’t understand it. There are people who describe it far better than me, but it basically says that the number of transistors that can be inexpensively placed on a device, doubles every two years.

What Dr Moore actually wrote in April 1965 was:

 “The complexity for minimum component costs has increased at a rate of roughly a factor of two per year … Certainly over the short term this rate can be expected to continue, if not to increase. Over the longer term, the rate of increase is a bit more uncertain, although there is no reason to believe it will not remain nearly constant for at least 10 years. That means by 1975, the number of components per integrated circuit for minimum cost will be 65,000. I believe that such a large circuit can be built on a single wafer.”

 OK, so what does that mean?

Well, it gives you a desktop machine with some 820 million transistors.

 Holy heat dissipation, Batman!!!

Apart from setting fire to your office, with that kind of power available to me on my desktop, why do I need anyone else to help me with my computing?

Well, like every field, state-of-the-art is expensive.

But it soon drops in price if you just buy enough of it. And with the number of businesses using sites like Google and Amazon each day, the cost for them becomes cheap – and when you run the kind of numbers these companies talk about, it really does become cheap.

Relax… we’ve got your data…

So, as a business, you’ve now got a situation where you can place your business running on the latest hardware, load-balanced, and centrally managed. What’s not to like?

Well, you can place your business there, but so can world+dog. When was the last time you handed over your personal data, and didn’t find it comprised or leaked with the subsequent 6 months? Thought so… Do you really want to hand over all of your company data to someone running in “The Cloud”? If you’ve ever posted any message, photo, or personal data to a social networking site, and had it escape beyond the limits you expected, have you ever managed to reign it in? Once the data is out there, it takes on a life of its own. If you place corporate data in the cloud, who owns it? And when (not IF) it’s leaked, what protection and mitigation policies do you have in place? And if you come into a contractual dispute with your cloud service provider, and they close off your access, where will your data come from to ensure your business continuity?

 But on a more daily-basis consideration – you need to have a 100% full-bandwidth link with a 0% SLA agreement to make Cloud Computing work. And whilst you’re CC hosting company may be prepared to sign up for that, will your infrastructure provider…?

It’s My Party And I’ll Cry If I Want To…

 And I DO want to cry… Aren’t we reverting to the 1970s model of computing?

At least with the 1970s model, your data and its processing stayed within your company. My advice would to be keep your data processing inside. Send it outside when you need to – and YOU control it – YOU take control of encryption and deal with the levels of privacy that your customers expect. There are several companies that can help you.

Obviously, I recommend Trusted Technologies

August 3, 2009 Posted by paulg1973 | Uncategorized | Leave a Comment

McKinnon vs UK.gov Spot the party with the mental health issues…

So, another week passes, and the seemingly inevitable extradition of Gary McKinnon moves ever closer.

For those who have been following the case, you have to believe that this is nothing to do with hacking US military networks, and everything to do with being a showcase trial.

Over the past 7 years, McKinnon has consistently admitted the unauthorised entry into US government and military networks to search for evidence of alien technology that could solve the energy crisis.

Hardly the work of a hardcore spy. In fact, more like something that might be done by a 40 year old sysadmin with Aspergers Syndrome, an over-active imagination and a fan of the X-Files. All of which, funnily enough, describe McKinnon perfectly.

Let’s be perfectly clear here. This is described by the US authorities as “the biggest military hack of all time.” Well if that really IS the case, if I were in a position of securing the US IT military infrastructure, I’d be bloody terrified, to put it mildly. Are you seriously suggesting that a single 40 year old man in a bedroom in the UK (the US closest ally), armed with a couple of Perl scripts could steal the keys to the kingdom? So what about the Chinese?

To give you an example of the kind of dangerous misunderstanding that pervades politicians minds, let’s not forget about the huge DoS attack that took place about a month or so ago, which took out large parts of South Korea’s systems. Most readers of this blog will know that DDoS attacks simply cannot be put down to a single point of origin – that’s why they’re called “distributed”. Unfortunately, a combination of ignorance and over-excitability led one US Congressman to the conclusion that because the attack was directed against South Korea, it MUST have originated in North Korea, and that the US should immediately take steps to defend themselves, because they could well be the next target and have vital infrastructure disabled.

It’s this kind of dangerous, woolly-thinking ignorance that simply HAS to be behind McKinnon’s predicament. How else can there be any other justification for extradition to the US?

Let’s also make one other thing clear – the cost of this attack. The US are claiming that $800,000 (£487,000)worth of damage was done. I’m sorry, but I simply can’t see how this can possibly be true. Sure, there’s the cost of auditing what was compromised and fixing it, but if you’d spent  that money in the first place and didn’t have such shoddy security arrangements, the whole sorry tale could have easily been avoided. Equally, I fail to understand how simply reading some files from a network can cause the levels of damage that the US are claiming.

I’m sorry if I sound like I’m condoning what McKinnon did; I’m not. As a computer security professional, it’s my job to stop attacks like this happening. It is quite clear that what McKinnon did, breached acceptable computer usage laws, both here in the UK and in the US. McKinnon himself freely admits as much.  In a recent survey for computer security firm Sophos, 71% of IT professionals believe that the treatment of McKinnon is way out of proportion to what he did. And these are the very same people tasked with keeping people like McKinnon out of the systems they are responsible for.

I don’t want to get into a political debate about the current credit crisis, but I notice no charges have been brought against reckless actions by banks ,nor against individual traders. Even the Natwest Three, when extradited to the US, were granted bail to return to the UK. McKinnon faces a potential 70 years in a US jail – condemning him to the rest of his life behind bars.

I’m worried, but not shocked, that the UK government has decided to press ahead with this. Despite the support of nearly the entire UK IT industry, high profile celebrities such as Pink Floyd’s David Gilmour, and even the Daily Mail, the Home Office are clearly determined to press ahead with this case.  After all, nearly a million people protested against the war in Iraq – in person – for all the good it did them.

The UK government does itself no favours in this case. It is quite willing to hand over a UK citizen with a diagnosed mental illness to the US authorities, but refuses to deport the convicted murderer of the headmaster Philip Lawrence back to Italy.  Can you imagine the US authorities hanging its own citizens out to dry like that?

The UK Home Secretary who started the whole sorry affair, David Blunkett, now says he wishes he hadn’t started it. And his successor, “Wacky” Jacqui Smith, who continued to allow the extradition procedure, recently said she felt she was out of her depth in the job.

And yet, despite all of the public anger over the proposed UK ID card scheme, the present holder of the post of Home Secretary, Alan Johnson,  yesterday described the actions carried out by himself and his two predecessors as a “No brainer.”

And for the first time ever, I completely agree with them.

August 2, 2009 Posted by paulg1973 | Uncategorized | Leave a Comment