Comment by Bender

Comment by Bender 8 hours ago

4 replies

View on Hacker News

Maybe this will check a box in some OpenStack cluster but it wont work for me personally. Anything sensitive I use physical servers. Once I am on a VM of a physical server that is not mine then my data is their data. It is just turtles all the way down and there will always be a way to obtain data. Whats more this is required for lawful intercept and authorities expect providers today to be able to live copy/clone a VM. There will always be a back door and when authorities can access the back door, so can the providers and malicious actors. Even more unpopular is that to me encryption is just mathematical obfuscation a.k.a. magic math and the devil is in the implementation details remember WEP and DVD encryption? Just like cell phones there will always be some simple "debugging" toggle function that can bypass it.

crote 7 hours ago

Why do you trust your physical servers? Do you believe it is impossible for a backdoor to exist in the CPU's Management Engine? Do you inspect the contents of every single network packet entering and exiting? Do you have a way of blocking or inspecting all electromagnetic radiation?

Confidential computing is trying to solve the very problem you are worried about. It is a way of providing compute as a service without the customer having to blindly trust the compute provider. It moves the line from "the host can do anything it wants" to "we're screwed if they are collaborating with Intel to bake a custom backdoor into their CPUs".

To me that sounds like a very reasonable goal. Go much beyond that, and the only plausible attacker is going to be the kind of people who'll simply drag you to a black site and apply the big wrench until you start divulging encryption keys.

Reply View 2 replies
  • eqvinox 5 hours ago

    A physical server can use all the same mechanisms a VM in a cloud can use (worst case put your stuff in a single "confidential" VM), but can also rely on physical control of the machine. But there is no longer a 3rd party cloud operator in a pre-privileged position to exploit VMM or CPU vulnerabilities.

    It is essentially by definition more secure than a VM anywhere.

    I wouldn't "fully" trust it without going on-prem though. But trust isn't binary either; container < VM < hosted machine < on-prem machine. That's all there is to this.

    Reply View 0 replies
  • Groxx 4 hours ago

    >[you already trust all these things, why do you think adding even more things you must trust makes it less trustworthy?]

    is a kinda insane argument at even a surface level

    Reply View 0 replies
Joel_Mckay 8 hours ago

Unfortunately, if someone really wants into modern equipment it is rather trivial. As modern clouds often just used cost-optimized consumer grade CPUs/GPUs with sometimes minor conveniences like more ECC RAM, and backplane management options.

In many ways, incident detection and automated-recovery is more important than casting your servers in concrete.

Emulated VM can create read-only signed backing images, and thus may revert/monitor states. RancherVM is actually pretty useful when you dig into the architecture.

Best policy is to waste as much time and money of the irrational, and interleave tantalizing payloads of costly project failures. Adversaries eventually realize the lame prize is just not worth the effort, or steal things that ultimately will cost them later. =3

Reply View 0 replies