Tom's list of contributions at Network World show you that he's not a neophyte when it comes to enterprise-level security, and that he's more of a product test/analytical person than a journalist. And afraid to state a strong opinion? That's someone else, not Tom, who got flamed hard for his "Container Wars" article, but has been proved right since it ran. Tom also says, in today's interview, that the recent Apple XcodeGhost breach should be a loud wake-up call for developers who don't worry enough about security. But will it? He's not too sure. Are you?
Robin Miller for Slashdot : Tom, last month didn’t you wrote some sort of article about people taking over containers, Apples and things like that?
Tom: Well,it wasn't quite that Robin, but I did a comparison between different kinds of container methodologies one of which comes from an organization called Parallels, and it's Virtuozzo, from a fairly long, comparatively stable product group that has gotten a bit of attention from OEMs, and actually their big market is hosting companies who want to build appliances and rapidly provision customers with the mundane stuff like mail and Wordpress. The meter turns on and everybody forgets to turn it off – which of course makes the ISPs and service providers very happy. And then we compared additionally to that another container methodology called Docker which is hot, hot, hot technology about how to strip out all of the evil stuff and run things inside of a sandbox container system, and then even run fleets of those things if you like to do big data-ish HPCish sorts of analysis. And it turns out that Docker, which uses Linux containers, isn't anything but a lot of fun because it's certainly not secure, and it has got just incredible variations of stuff because it's so easy and simple to do.
However, any organization putting these sorts of things into production without having chapter and verse in terms of the background of where the container came from, what it is composed of and so forth is pretty much opening the doors to the marauding Huns. And so, I tried to explain my sense of the fact that Docker containers, while really fun and ostensibly poised towards security models, might help bring a chain of authorities into the equation to make things safe.
Well, all that stuff didn’t flush, and I got a bunch of e-mails saying, ‘Hey, man, we're having a lot of fun with this stuff, so like lay the hell off would you, I mean, come on, these are so cool, look at this, I can go and shoot 500 of these suckers into a single machine, dude. Now let’s go see you do that.’ And so, well, fast forward to Apple – which has its Xcode that was distributed through third parties, not the stuff that came from Apple themselves, but through third parties. Got tainted with a payload that infects iOS, and suddenly developers find all of their cool apps that were making money in the iTunes store evaporate along with, of course, any kind of profitability. Or from the users perspective, any kind of security that they thought they might have.
Why? Well, Apple does allow Apple developers to do a check on the Xcode to see if it is actually valid. Now, how many developers who are trying to make loose and fast money went through their process check to see, Oh, yeah, gee man, hey, man this isn’t the same stuff that comes from the developer side, what do we do?
So what ends up happening? A big explosion and suddenly you can hear the cries of thousands of iOS apps going, ‘They have taken me from the store!’ And they are gone.
So what's the happiness in this? Well, a fear of God has been put into developers so that they understand that they are actually now targets of potential malware infestations that in turn can infect not only their own turf and their own sandboxes, crappy as they are, (oh yeah they are made of sand not concrete), but it also a wake-up call to vendor organization to try and find methodologies that validate these payloads before they're going, “Oh, yeah, build a thousand of them.” Okay. So, I feel a little bit vindicated over the fact that, yes, the chain of authorities is important and Docker is loose and fast. it reminds me of all of the warnings and admonitions that the United States Navy gave the sailors of World War II, so they wouldn’t pick up STDs in port.
So with that inoculation in mind, will developers actually do the job right and carefully examine what's been going on? Well, yeah, there are initiatives, there are rocket initiatives that start to develop chains of authorities, organizations are starting to carefully look at what the payloads are, but the problem is we don't really have a sandboxing methodology to validate all of these cool appliances and yes they are cool and easily deployed, but unfortunately there's no good way to look inside like the FDA does at your freaking hamburger; you go, “Oh, yes, well this was inspected by number 64.” I'm hoping that such a thing comes about because what's happened is that we’ve once again had a wakeup call.
Bbut the problem is, developers are going to go back to sleep.