Video Security is an Important Coding Consideration Even When You Use Containers (Video) 57
Tom's list of contributions at Network World show you that he's not a neophyte when it comes to enterprise-level security, and that he's more of a product test/analytical person than a journalist. And afraid to state a strong opinion? That's someone else, not Tom, who got flamed hard for his "Container Wars" article, but has been proved right since it ran. Tom also says, in today's interview, that the recent Apple XcodeGhost breach should be a loud wake-up call for developers who don't worry enough about security. But will it? He's not too sure. Are you?
Robin Miller for Slashdot : Tom, last month didn’t you wrote some sort of article about people taking over containers, Apples and things like that?
Tom: Well,it wasn't quite that Robin, but I did a comparison between different kinds of container methodologies one of which comes from an organization called Parallels, and it's Virtuozzo, from a fairly long, comparatively stable product group that has gotten a bit of attention from OEMs, and actually their big market is hosting companies who want to build appliances and rapidly provision customers with the mundane stuff like mail and Wordpress. The meter turns on and everybody forgets to turn it off – which of course makes the ISPs and service providers very happy. And then we compared additionally to that another container methodology called Docker which is hot, hot, hot technology about how to strip out all of the evil stuff and run things inside of a sandbox container system, and then even run fleets of those things if you like to do big data-ish HPCish sorts of analysis. And it turns out that Docker, which uses Linux containers, isn't anything but a lot of fun because it's certainly not secure, and it has got just incredible variations of stuff because it's so easy and simple to do.
However, any organization putting these sorts of things into production without having chapter and verse in terms of the background of where the container came from, what it is composed of and so forth is pretty much opening the doors to the marauding Huns. And so, I tried to explain my sense of the fact that Docker containers, while really fun and ostensibly poised towards security models, might help bring a chain of authorities into the equation to make things safe.
Well, all that stuff didn’t flush, and I got a bunch of e-mails saying, ‘Hey, man, we're having a lot of fun with this stuff, so like lay the hell off would you, I mean, come on, these are so cool, look at this, I can go and shoot 500 of these suckers into a single machine, dude. Now let’s go see you do that.’ And so, well, fast forward to Apple – which has its Xcode that was distributed through third parties, not the stuff that came from Apple themselves, but through third parties. Got tainted with a payload that infects iOS, and suddenly developers find all of their cool apps that were making money in the iTunes store evaporate along with, of course, any kind of profitability. Or from the users perspective, any kind of security that they thought they might have.
Why? Well, Apple does allow Apple developers to do a check on the Xcode to see if it is actually valid. Now, how many developers who are trying to make loose and fast money went through their process check to see, Oh, yeah, gee man, hey, man this isn’t the same stuff that comes from the developer side, what do we do?
So what ends up happening? A big explosion and suddenly you can hear the cries of thousands of iOS apps going, ‘They have taken me from the store!’ And they are gone.
So what's the happiness in this? Well, a fear of God has been put into developers so that they understand that they are actually now targets of potential malware infestations that in turn can infect not only their own turf and their own sandboxes, crappy as they are, (oh yeah they are made of sand not concrete), but it also a wake-up call to vendor organization to try and find methodologies that validate these payloads before they're going, “Oh, yeah, build a thousand of them.” Okay. So, I feel a little bit vindicated over the fact that, yes, the chain of authorities is important and Docker is loose and fast. it reminds me of all of the warnings and admonitions that the United States Navy gave the sailors of World War II, so they wouldn’t pick up STDs in port.
So with that inoculation in mind, will developers actually do the job right and carefully examine what's been going on? Well, yeah, there are initiatives, there are rocket initiatives that start to develop chains of authorities, organizations are starting to carefully look at what the payloads are, but the problem is we don't really have a sandboxing methodology to validate all of these cool appliances and yes they are cool and easily deployed, but unfortunately there's no good way to look inside like the FDA does at your freaking hamburger; you go, “Oh, yes, well this was inspected by number 64.” I'm hoping that such a thing comes about because what's happened is that we’ve once again had a wakeup call.
Bbut the problem is, developers are going to go back to sleep.
The spectrum of virtualization (Score:3, Interesting)
Containers are even more dangerous than VMs since you lose even more virtualization. All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine. Even process isolation yields some amount of containment (can't snoop cross-process memory) but this is typically trivial to breach for any malware.
A large part of the security problem can be solved with simple configuration cleanliness. Do you know what software you're running? If you don't then no amount of containment will help and it's just a matter of time before your network is pwned.
Re: (Score:2)
Containers are even more dangerous than VMs since you lose even more virtualization. All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine. Even process isolation yields some amount of containment (can't snoop cross-process memory) but this is typically trivial to breach for any malware.
If you have a server (in a container or whatever), with all your user's passwords going through it.....then it really doesn't matter if the malware can't get out of the container, it can still sniff the passwords as they go through.
Re: (Score:1)
All these technologies sit on a spectrum of resource-cost-to-containment with the hardest containment being a different physical machine.
Physical separation opens up an entirely different set of security problems. I can purge and redeploy a few thousand containers before you've got a single physical machine halfway through re-imaging. You've also got to face the fact that security does not live in a bubble. Managing a metric crapload of containers or even full-blown VMs is far, far more efficient (cost and timewise) than managing a metric crapload of physical machines.
A large part of the security problem can be solved with simple configuration cleanliness. Do you know what software you're running? If you don't then no amount of containment will help and it's just a matter of time before your network is pwned.
This, though. In rare cases where shitty application code isn't to bla
-1 Registration Required (Score:2)
There are 11 types of developers... (Score:3)
There are 11 types of developers when it comes to security.
00) Wot? 70% of them. Probably 95% of web designers.
01) I care about security, but I don't have to do anything about it in my layer. Another 20%.
10) I care about security and it is my problem. Just 10%. Maybe.
This guy is preaching to group 10 and trying to get group 01 to care. It's nice to see something else out there fighting the good fight.
Re: (Score:2)
You need other subcategories of number 10. Those who care about security, have to interface with security and use security features, but who are not the security expert. These are different from the developers who actually implement the security. Who may also different from the people who decide the policy of security (who may or may not be software/firmware people).
Security is hard (Score:2)
There is no "magic bullet." Garbage collection won't save you, a container won't save you. In the end, you need to be thinking about security every line you write, or you'll end up with an integer overflow that allows hackers to take over your container.
Re: (Score:2)
Nobody knows WTF is inside of a container except the person that built it, and no one knows if they MD5'd the contents, used all of the appropriate checked libs, and made sure that processes/confs/symlinks that were unnecessary were removed from the container. The same needs to be done to hypervised VMs. You can MD5 the container once built, but then checking to see if something ugly's been added isn't simple.
Then there's the job of doing update/patch/fix, and ensuring that those payloads have a chain of co
Re: (Score:2)
And there is a magic bullet. It's called "knowing what you're doing"
Sounds like......you have a genius idea there.
Re: (Score:2)
I......work hard to ensure that every line I write IS secure.
Then keep up the good work, we need more programmers like you.
Re: (Score:2)
Experience causes people to think about security. Thus the old codgers who have the most experience are also more experienced at having run into these problems before. I see plenty of young coders repeating the same mistakes that were made back in the 70s.
The same group of kids who think that their parents will never see their drunken pictures on instagram are not the ones who have the proper paranoia to code securely.
EVEN WHEN??!!!! (Score:4, Interesting)
Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?
Re: (Score:2)
It's not a terrible idea, but it takes effort and some time to get a solid and reliable implementation. The part where you do that first, before deploying them in production, seems to have been skipped with Linux. I'd trust Solaris or Illumos Zones, because they've been around for years and have had a lot of testing. IBM WPARs are probably also fine, if you can afford AIX (not that I can). But the bundle of duct tape and bailing wire that Docker has used to cobble together containers on Linux, which changes
Re: (Score:2)
The part where you do that first, before deploying them in production, seems to have been skipped with Linux
Don't worry, the systemd programmers will take care of that!
Re: (Score:2)
Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?
Because you can run three to four more server apps on the same architecture than you can using even efficient VMs such as KVM. That, in turn, means you have o pay for fewer servers.
Re: (Score:2)
You are completely full of shit, I'm looking at a VM right now at work with gigabytes provisioned but the actual RAM in use is but hundreds of megabytes. Enterprise class virtualization has evolved beyond whatever silly system you imagine
Re: (Score:2)
No, that's long obsolete. vSphere 6 is the current one, try to keep up
Containers do not provide sufficient isolation, less secure even than jail
Re: (Score:2)
Re: (Score:2)
LXC does not add any IO.
Re: (Score:2)
Re: (Score:2)
I just use it with rootfs-folder. Using a btrfs-volume may add some stuff.
btw: Docker was based on LXC and i think it still supports it? So its just a aufs (unionfs) when using docker.
Re: (Score:2)
Re: (Score:2)
Yeah, docker creates a layer and then never changes it. With LXC backend, it uses aufs to stack them. ;).
I still prefer using bare LXC containers. There i know what i have and do not trust any prebuilt stuff. And when i start with creating a baseimage (debootstrap for ubuntu/debian), i just do the same as a "lxc-create -t debian" does.
But maybe i am oldschool
Re: (Score:2)
Containers are even less separate than jails, of course they're near the bottom of the barrel in terms of security. Why the Container fad when the overhead of proper virtualization is now so very low it's negligible on any modern server processor?
Containers are easy for weekend IT guys like me who run our own servers. I don't have time to bother with learning an entirely new IT paradigm and setting it all up myself. Home server software makes all of that unnecessary and Docker containers are handled almost like "apps" in some software (like Unraid). I have to set directories and manage the network port mapping but everything else is done for me. It does what I need it to do without requiring much new knowledge or skill.
Re: (Score:2)
never use gotos,
There's nothing wrong with GOTO statements, and there never was. This is a rather popular misconception.
Sixth, never ever use exception handlers. You have a non-deterministic path through the program and therefore no means of knowing if the state of the program is valid. You also want the program to crash if it encounters a situation that it shouldn't, it means there's a catastrophic fault in the machine or the software. There are no exceptions to this rule. Exception handling is one of the worst mistakes ever made in software engineering.
Oh, so you're trolling.
I'm missing something (Score:2)
Re: (Score:1)
Given that xcode is free (as in comes with OS X), why would you get it from a source other than Apple?
The quickest answer is that some countries fsck with the websites of others... I live in China and they love to play games with DNS resolving, temporary and permanent website bans, bandwidth restrictions (sometimes per service... ie just for www, but ssh is full speed).... and etcetera and so forth.
Sometimes you will download from another site just so it doesn't take a week to download, sometimes you don't even realize that you are on a China specific site that is giving you different binaries (ie Skype)
Re: (Score:2)
This presumes that the instance's NON-INTERNET-FACING side is secure, and don't be so assured that it is.
Doctor Who? (Score:1)
Pointless (Score:2)
Who needs to argument about contributions to show "he's not a neophyte", has other problems. Especially if i needs to think about if he needs security even in containers. i mean, what the fuck.