Rackspace is leading an effort to create a new group of top-tier cloud companies that it hopes will share information about security in close to real time.
Rackspace chief security officer Brian Kelly today told The Reg at a Sydney event that he feels cloud companies have to take a lead to address security challenges. Rackspace, he said, operates a skunkworks in which it is considering approaches such as asking CPU-makers to add security functions to silicon in order to make dedicated security appliances less relevant. That effort, he said, has seen Rackspace hire two of three leaders of the US military's online operations squads because Rackspace wants that kind of expertise and experience on staff.
Another approach Kelly feels is necessary is for cloud leaders to come together to share information, so that when one detects an attack or a threat, the others are quickly made aware of it. All, it is hoped, will therefore be better positioned to combat emerging threats.
Kelly said Rackspace has developed a platform to monitor its own systems for attacks or emerging threats, and provide information on them at speed. The company hopes the new group will be willing to both consume that feed and contribute to it. Intel, Dropbox, Google, Microsoft and Amazon Web Services are either on the target list or have already entered discussions about the group.
It's hoped the group will launch later this year.
(Score: 2, Interesting) by MichaelDavidCrawford on Monday August 03 2015, @03:23PM
It's called the Trusted Computing Platform Alliance [osxbook.com].
TCPA is built into my Early 2006 Core Duo - not Core 2 Duo - MacBook Pro. I expect it's in my Early 2013 Core Quad i7 MacBook Pro as well but haven't actually checked.
Apple uses the Infinieon SLB 9635 TT 1.2. It has ten key registers, some crypto instructions whose keys come from that write-only flash, as well as some read-write flash. More or less what you do is write your secret key into the write-only flash, write the bootloader passphrase into the read-write flash, encrypt then hash the passphrase, read that hash into a CPU register then use the CPU's crypto machine instructions to encrypt or decrypt your full disk.
What that means is that the raw blocks on your disk are only useful to the exact same microprocessor that originally encrypted them. It won't do them good if the Gestapo images your hard drive, nor if they make off with your disk.
If they steal your notebook you will want to brick it; Lojack For Laptops is cheap as dirt and has the option of bricking your box for you, however its loss and theft recovery geolocation system depend on it phoning home to The Great White North on a Damn near continuous basis.
I bought it for my Early 2013 Retina Display MacBook Pro. It really did ease my mind, however I grew concerned when I logged into my user account at Absolute Software's site only to find that Lojack was doing a pretty good job of letting twenty-five retired police officers know where to find me.
If all you want is to brick your box were it lost or stolen, at boot then periodically until shutdown, use SSL (or maybe Tor) to fetch a digitally signed document from a server that you personally have control over (ie. not hosted with a "Cloud Provider"). If you want to brick then replace that document with "Bond. James Bond. Shaken, Not Stirred." then don't sign it - or maybe sign it with the "Brick Yourself" secret key.
Many kinds of server chassis have intrusion detection; not long ago, someone reported that their Tor Exit Node's chassis had been opened, then a USB stick inserted, removed then the chassis closed again.
So what you do there is brick your server when the chassis is opened butcept for a small bit of code that cryptographically erases any storage that's plugged into your USB.
Thanks For Letting Me Clear All That Up.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Gravis on Tuesday August 04 2015, @12:00AM
if there is one thing i don't trust, it's "trusted computing" because it's designed for corporate abuse. [wikipedia.org]
(Score: 2) by MichaelDavidCrawford on Tuesday August 04 2015, @12:16AM
The Fine Manual [osxbook.com].
FTFY
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Gravis on Tuesday August 04 2015, @03:08AM
it's a flawed concept because the module has to be trusted by the user. [wikipedia.org] it would be rather easy for a government to force some tweaks be made to make RNG not so random. there isn't even a open hardware version of the TPM. there is no reason to trust the module.
(Score: 2) by MichaelDavidCrawford on Tuesday August 11 2015, @02:00AM
Point a video camera out your window on a moderately cloudy day, hash the pixels down into a key.
Yes I Have No Bananas. [gofundme.com]
(Score: 2) by Gravis on Wednesday August 12 2015, @12:01AM
if i have to build my own hardware, it's not a feature worth having.