CloudLinux

[R P Herrold]

On Fri, 18 Jun 2010, unixprgrmr01 at gmail.com wrote:

> Cloud computing is like having sex in Time Square. 
> Everything is viewable to everyone, but only those who are 
> interested are going to delay their busy schedules to stop 
> and see what is going on.

> As far as encryption goes, cracking it is only a matter of 
> time and computing power.  You may not be able to crack it 
> in an amount time that makes the data usable or valuable; 
> but, it is only a matter of time, before computing power & 
> cracking algorithms catch up and allow you to crack in 
> seconds what was previously uncrackable in decades.

'CloudLinux', the CentOS downstream fork is not cloud 
computing, although in their marketing puffery, they position 
themselves as:
 	'CloudLinux is the only commercially supported OS
 	designed specifically for the service provider market'
 	-- http://www.cloudlinux.com/solutions/compare/

I call B*ll sh*t

http://www.cloudlinux.com/support/index.php

 	Serverity [sic; thus in the original] 1
 			2  Buiness [sic] days  ...

where:

Severity One (Urgent)
Catastrophic - OMG help me now. Includes loss of production, 
data and no workaround, major security breach.

I'd be embarrased to have written that (putting to one side 
the spelling errors)


<advert> PMman time to self-recovery is minutes to having the 
DRP back-up image fallback spinning and live, and depending on 
the care the instance owner took, and the depth of their 
purse, later fallback images.  If one wished to buy 24x7x365, 
we already have trained staffing in place for 'truck roll' to 
the DC, know our pricing, and will consult and quote to 
serious inquiries.  In most instances no truck roll is needed 
as we maintain out of band access to the backside network, 
have remotely controllable power and console access (KVM over 
IP backhaul to dedicated management servers), and there is not 
much other than re-plugging cables that we cannot do remotely 
...</>

------------------------------------------------------


And opinions are like belly-buttons ...

'Everything is viewable to everyone' is laughably ignorant of 
the reality

3DES issued (giving ca 112 bits of symmetric cipher strength) 
because the horizon showed that governmental strength 
mechanical attacks were 'too close'.  FIPS 140 is in the -2 
update for just this reason, and to comply at the highest 
levels and to surmount obtaining a certification lab's 
'sign-off' on the same costs on the order of tens of millions 
of dollars.   But like RHEL and CentOS a person can obtain 
results to the FIPS level cited without the certification for 
little more than skull sweat and testing

I just generated a 2048 strength public/private key pair 
(asymmetrical crypto) as the horizon to cracking that is not 
within my life expectancy. the number of atoms in the universe 
are less than the number of sequential stir guesses needed. 
Frankly, without a defect in the algorithms to permit ruling 
out wide swaths of the key-space, the universe runs out of 
power before current crypto properly done.  OTP does not NEED 
hardware RNG's potted in epoxy as the early BellCore reference 
implementation showed

The cyber ninja swat team operatives getting into the data 
center need to successfully get past:
 	- fob based ACL 1
 	- fob based ACL 2
 	- all the cameras
 	- hand geometry ACL 1
 	- hand geometry ACL 2
 	- outer cage 1 (fob based ACL)
 	- inner cage door 1 (key locked ACL)
 	... each with continuous and redundant monitoring
 	'inside' the protected loop, and echoed to the outside
 	DRP site

to even get to anything [i.e., the physical layer attacks] 
more than they can get sniffing and journalling all the 
traffic in and out of a given IP for a 'corpus' to crack

This is far, far more than we had at the Naval Ship R and D 
center during the Nixon administration, except we do not have 
armed Marine guards with loaded M-16's at port arms at the 
entry point at that long ago data-center.  All I need to do is 
slow them down and be alerted

All management of hosts at that DC are done through SSH and 
certificate backed SSL; there are partitioning and 
fire-breaks, and two discrete and isolated back side 'God 
network' network segment for control that simply does NOT go 
out of the locked cabinet; it is based on an implementation 
that passed the then CISP (now PCI) credit card data security 
assessment, conducted by the author of the v2 of that 
specification without any down-tick or question at all as to 
the Unix/Linux part of the data security model and 
implementation.  The Windows side passed because of the use of 
physically isolated network segments, VPN tunnels, proxies for 
application isolation, and use of a doubly protected physical 
layer

_Some_ cloud computing may be performed as a public 
promiscuity, but I assure that that generalization quoted at 
the top this post is not meaningful, nor worth a damn

-- Russ herrold
 	http://www.pmman.com/