Re: Cloud Services and kernel mitigations and OpenBSD cli support
Cloud poses a risk to privacy that you cannot and must not ignore in business. Ignore everyone that says otherwise. --- If you are a fabless company, for example, it is easy for a cloud sysadmin to exploit the latest vulnerabilities to read your data bank and sell your secrets. Email (yahoo, hotmail, gmail, you name it) is another example of cloud service: sysadmins do not need to exploit anything, because the contents are stored in plain text. --- If you need a cloud, you better make your own. Sent from ProtonMail Mobile On Thu, Mar 8, 2018 at 11:51, Kevin Chadwick wrote: > We all know Bare metal is more secure (ignoring physical security) especially > with OpenBSD but if you need cost effective global resources on tap then I > believe you need cloud. We all know microsoft have a huge user base and > userland issues that are problematic however despite some recent Linux kernel > mitigation adoption attemps, Linux focus on kernel mitigations have been > lacklustre whilst microsoft have been comparatively active albeit enabling > and enforcing mitigations (even ASLR) for all applications by default has > been lacklustre. As cloud services are free from microsofts userland it is a > *hopeful* assumption that their security mitigation works applies to their > cloud too whereas I expect it is unlikely with Amazon and Google (AFAIK > Android fairs better than Linux for mitigations due to Google however??) > Perhaps OpenBSD mitigations still apply effectively to ec2 instances and > cloud services isolation is good enough to never undermine this, though I > find that hard to believe. Perhaps new processor developments will solve this > issue. None of this matters if you cannot get things done. I know there is > OpenBSD AWS client availability but I am unsure about Azure, Google etc. Any > advice and experience is welcome, Thankyou.
Re: Cloud Services and kernel mitigations and OpenBSD cli support
Hi, I've yet to stumble upon the first provider which actually uses OpenBSD as the hypervisor, instead of VMware, Xen, KVM, etc. That, in fact, would be an awesome development. I have been thinkering with this thought back and forth, but the IT company I work for isn't big enough to facilitate this - yet. As to public clouds, no doubt it's far less secure than running OpenBSD bare metal. However, public clouds do have one advantage over bare metal, VMs can be made with the mere click of a button, whereas bare metal often takes time to be put online. Having said that, it isn't always that more cost effective. There are very cheap dedicated servers available. Like in Germany, there is Hetzner, Servdiscount, etc. If you need bulk storage, a dedi is often more affordable than a VM/VPS. However, they do oversell bandwith - a lot. I always prefer a dedicated server to run OpenBSD on, which is my preferred OS. However, if you would hold a gun to my head and made me pick a public cloud provider, I'd pick Azure. There have been some developments that sound okay-ish, like confidential computing: https:// arstechnica.com/gadgets/2017/09/azure-confidential-computing-will-keep- data-secret-even-from-microsoft/ As to the exploit mitigation, I really don't know how this upholds after four years or whether this even applies to public clouds - this might be somewhat related at best: https://www.youtube.com/watch?v=OXS8 ljif9b8 I am keen to know whether someone has real hands-on experience with OpenBSD, exploit mitigations and public clouds - I don't. -J. On Thu, 2018-03-08 at 10:51 +, Kevin Chadwick wrote: > We all know Bare metal is more secure (ignoring physical security) > especially with OpenBSD but if you need cost effective global resources > on tap then I believe you need cloud. > > We all know microsoft have a huge user base and userland issues that > are problematic however despite some recent Linux kernel mitigation > adoption attemps, Linux focus on kernel mitigations have been > lacklustre whilst microsoft have been comparatively active albeit > enabling and enforcing mitigations (even ASLR) for all applications by > default has been lacklustre. > > As cloud services are free from microsofts userland it is a *hopeful* > assumption that their security mitigation works applies to their cloud > too whereas I expect it is unlikely with Amazon and Google (AFAIK > Android fairs better than Linux for mitigations due to Google > however??) > > Perhaps OpenBSD mitigations still apply effectively to ec2 instances > and cloud services isolation is good enough to never undermine this, > though I find that hard to believe. Perhaps new processor developments > will solve this issue. > > None of this matters if you cannot get things done. I know there is > OpenBSD AWS client availability but I am unsure about Azure, Google etc. > > Any advice and experience is welcome, Thankyou. >
Cloud Services and kernel mitigations and OpenBSD cli support
We all know Bare metal is more secure (ignoring physical security) especially with OpenBSD but if you need cost effective global resources on tap then I believe you need cloud. We all know microsoft have a huge user base and userland issues that are problematic however despite some recent Linux kernel mitigation adoption attemps, Linux focus on kernel mitigations have been lacklustre whilst microsoft have been comparatively active albeit enabling and enforcing mitigations (even ASLR) for all applications by default has been lacklustre. As cloud services are free from microsofts userland it is a *hopeful* assumption that their security mitigation works applies to their cloud too whereas I expect it is unlikely with Amazon and Google (AFAIK Android fairs better than Linux for mitigations due to Google however??) Perhaps OpenBSD mitigations still apply effectively to ec2 instances and cloud services isolation is good enough to never undermine this, though I find that hard to believe. Perhaps new processor developments will solve this issue. None of this matters if you cannot get things done. I know there is OpenBSD AWS client availability but I am unsure about Azure, Google etc. Any advice and experience is welcome, Thankyou.
