@rysiek Until the patches land. This is just another arms race, no?

I always thought 2 was just a given; any RCE becomes root eventually.

In the medium term we may have to make the uncomfortable choice between "fast" or "secure", which sucks but isn't the end of the world.

The interesting take-away here is that virtualization, be it hardware or a JIT, is not as safe as we hoped (but still probably safer than some people feared). Sandboxing is hard, we already knew that but hoped for magic.

@HerraBRE no, not all RCEs become root. The fact that we have multi-tenant systems serving tech-savvy users without these users constantly getting root on them is proof enough. :)

It's always an arms race, yes.

Sandboxing is hard, and making decisions where we want to be on the security<->speed spectrum is hard also. We need to dial back on speed and up on security, but there are no incentives to do so, usually. That's the main problem, IMVHO.

@rysiek I go around assuming they're not constantly getting root mostly because they're not all malicious / capable... 😉

But it's an interesting class of bugs, that's for sure!

@paco The security best practice I speak of is:

"Don't share hardware with untrusted strangers who can run arbitrary code and try to attack your hypervisor or local network."

Of course you should use all the compartmentalization tech that is appropriate for your use case. Even if they can be attacked, it raises the bar.

@HerraBRE Never share hardware with strangers? Seems too blunt.

At face value that would prevent using any cloud infrastructure at all wouldn't it? Seems like it might make SaaS services problematic too.

I don't think I've seen that sort of principle put forward as a best practice. I don't see how you could follow that principle in 2018.

@paco I didn't say never. I said it was a best security practice, which it is.

I'm well aware that lots of people (myself included) prioritise other things above absolute security.

When have SaaS and PaaS and IaaS not been problematic for privacy and security? People who care (banks, for example) do this in 2018 the exact same way they did it in 2008 and 1998.

Own hardware or lease entire machines. It's not rocket science, even if your employer would like us to think otherwise. 😉

@paco @HerraBRE hi. We keep all sensitive stuff on bare metal. In 2018, just like we did in 2017. And 2016. And before.

So, yeah.

@rysiek @HerraBRE
Why? To what benefit? What attack is on your threat model that is defeated by that design choice?

@paco @HerraBRE well, for one: https://meltdownattack.com/

@rysiek @HerraBRE
C'mon man. I'm up to speed. That's what kicked off this thread. The EC2 hypervisors were already patched before the announcements and news articles came out. For most people, that's faster than they can do it themselves. It's definitely less effort. What is the risk?

@paco @HerraBRE the risk is that someone knew about this before Google Project Zero found it. And perhaps was exploiting it for a while.

Did AWS update faster than we have? Sure. But since we're using bare metal and do not have anyone else on the same hardware, we did not even need to patch immediately.

@rysiek @HerraBRE The date on this advisory is yesterday, and note that at that time 90+% were already done worldwide. Who patches faster than that? https://aws.amazon.com/security/security-bulletins/AWS-2018-013/

@paco @HerraBRE that is completely missing the point.

The point is not how fast AWS patched their systems for this. The point is since we were using bare metal in the first place, we were basically not affected in any way.

As in, there was no possible malicious co-tenant on the same hardware that could have extracted anything from our memory space.

Because all memory space is our memory space.

On our bare metal.

@HerraBRE @paco you do realize, I'm sure, that the vulnerability was there way before GPZ discovered it and vendors started working on the fix.

And during that time AWS, Azure, all other Cloud platforms were vulnerable, and their users open to malicious co-tenants.

But again, not on bare metal.

@rysiek @HerraBRE I understand it was there for 20 years. Like the OpenSSL and bash bugs that were old when they were discovered. Do you think it was being actively exploited but somehow nobody knows? It's all been hushed up? Or was it perhaps not actually exploited? I have no idea, myself. But it seems hard to believe that it was being exploited a lot for 6 months, but nobody knew.

@paco @rysiek We'll probably never know, unless some too-big-to-keep-secrets agency was using it and proof gets leaked.

If you've got an 0-day like this, you will keep it real quite and use it sparingly on high-value targets.

@paco @HerraBRE I would not be surprised if it had been actively exploited, yes.

The NSAs and FSBs of this world have budgets way bigger than GPZ. And this is exactly the kind of clandestine, effective vulnerability that nobody expects which the three-letter-agencies love the most.

@rysiek @HerraBRE It's impressive that you've built a data centre that withstands the NSAs and FSBs of this world. If that's your threat model and you've countered it, that's pretty impressive. You must be confident that you've countered that threat better than the cloud providers can, too, which is all the more impressive. I don't know many smal businesses that run data centres capable of resisting the 3-letter-agencies.

@paco @HerraBRE I appreciate your stinging sarcasm there; however I must point out that no-where have I claimed we can resist three-letter-agencies in general.

Nor are we confident we can always protect stuff (on the technical level) better than large providers. Not using their services, however, solves other (non-technical) issues.

@rysiek @HerraBRE
My point is this: security people often reach for the agency threat when they talk about reasons to use bare metal. It's the ONE threat that bare metal seemingly solves. But bare metal ONLY solves that threat if you ALSO do a long list of other expensive security controls. So, given that you probably AREN"T defeating the agencies, what's the point of bare metal? The NSA/FSB threat isn't an interesting security discussion. Nobody (on here) is really designing to defeat them.

@paco @HerraBRE Agency threat (and APTs, and HackingTeams and Gamma Internationals of this world) are one.

Legal threats are another issue using bare metal helps mitigate, at least partially.

@paco @rysiek @HerraBRE you guys suck i had 'defence in depth' on my bingo card. I thought i was going to win 😢

@finux @HerraBRE @paco so let me get this straight:

1. you played bingo
2. you lost
3. you complain about it
4. and it is us who suck?

:P

@rysiek @paco @HerraBRE what else was i suppose to do whilst waiting for the NSA to hack my bingo machine host in my own private AWS

@finux @HerraBRE @paco

> private
> AWS

This is getting better and better. ;)

@finux @rysiek @paco Defense in depth dictates avoiding bingo and other gambling.

The house always wins and attacks only ever get better. 😜

@HerraBRE @finux @paco unless...

Unless we put the bingo on Blockchain! In spaaaaaaace!

@paco @HerraBRE

Nevertheless, we do our own threat modelling and make decisions that seem best for us.

One of them was going bare-metal for sensitive stuff.

This decision has been validated by #Meltdown and #Spectre.

@paco @HerraBRE so at this point I am kind of at a loss trying to understand what your point is.

Is it that "tree-letter-agencies can get into anything, so why use bare metal"? If so, my question is: do you use SSH? Why not Telnet?

@rysiek @paco Exactly. By using bare metal you have eliminated an entire class of attacks.

There will be more bugs like this.

Security professionals know this and have known for a long time. Thus my claim it was a standard best practice, albeit one that has costs not everyone could justify.

That math has shifted now, more people will justify the expense. Not all, but more.