Sign in with
Sign up | Sign in

Security In The Cloud

Charlie Miller On Hacked Batteries, Cloud Security, And The iPad
By

Alan: What about "mathematically proving" that software is "correct" and performs as expected to meet the design requirements? That's done with avionics software. Can we do that with regular software? Can you mathematically prove that something is secure, or at least impervious to specific attack patterns like fuzzing or SQL injection?

Charlie: It's probably possible sometimes, but it is not done. We're still really in the stone ages of software security. At this point, the only practical thing to do is fuzz, audit, and analyze the hell out of it. Microsoft fuzzes everything, but obviously there are still plenty of bugs in its stuff. I've found critical bugs in software that has been analyzed by static analysis tools. Research indicates that different fuzzers find different bugs. Finding all (or even most) critical software vulnerabilities is really hard, time intensive, and expensive. NASA might have the time and money to make sure the software on their Mars Rover is perfect, but software vendors want to ship software and make money and are willing to live with a "few" vulnerabilities.

Alan: Besides better software, what about hardware issues? Joanna Rutkowska published the SMM attack a couple of years ago, and you recently talked about the firmware attack with Apple batteries. How do we approach this problem?

Charlie: This is really hard. Another example you left out is Ralf Phillip Weinmann and his mobile baseband attacks. There are lots of different chips in all of our electronics that you don't think about. This is one of the reasons I was interested in the battery research. The worst thing about hardware is that it is hard/expensive to analyze. We can all download Internet Explorer and audit the code/fuzz it. But it takes equipment and special skills to look at hardware. I probably spent $1000 for equipment on the battery research and that was just for fun. These barriers make the systems less secure because it discourages researchers like me from analyzing it.

Alan: Where does cloud computing fit into this? You’re putting a lot of trust into the company developing the cloud software and the company actually hosting the cloud. If its software is bad, or worse, if its privacy policies are incomplete or its employees are unethical, you are at a significant level of risk for data compromise. In addition, a big database like that would be a prime target for hackers. On the other hand, companies like Amazon, Apple, Microsoft, and Google should be better-equipped than the average end-user when it comes to security.

Charlie: Yes, cloud security is tough because it can't be independently validated very easily. We can all tear apart MS PowerPoint to see what it does with our data, but when you ship your data off to the cloud, researchers like me cannot look at the software to try to find bugs. In fact, poking around on their Web site is illegal. Using software that is not on your system, and thus cannot be torn apart and reverse engineered, means you are putting a large amount of trust on whoever is writing that software. The guys like me won't be able to help you. As for whether these big companies are better than the average person, I'm not sure. Sony might be a good counterexample to your argument.

Ask a Category Expert

Create a new thread in the Reviews comments forum about this subject

Example: Notebook, Android, SSD hard drive

Display all 16 comments.
This thread is closed for comments
  • 0 Hide
    Darkerson , August 2, 2011 4:38 AM
    Pretty interesting read. Keep up the good work!
  • 2 Hide
    pepe2907 , August 2, 2011 5:53 AM
    Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.
    If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.
  • 0 Hide
    DavC , August 2, 2011 7:53 AM
    interesting read!
  • 0 Hide
    mayankleoboy1 , August 2, 2011 3:34 PM
    Quote:
    No matter how much security you build into a system, if the user really wants to run a piece of malware they think will show them some naked pictures, they're going to figure out a way to run that program.


    exactly
  • 1 Hide
    mayankleoboy1 , August 2, 2011 3:40 PM
    if only software could be people-proof.
  • 2 Hide
    jacobdrj , August 2, 2011 5:05 PM
    mayankleoboy1if only software could be people-proof.

    "A farmer notices his chickens are getting sick, he calls in a physicist to help him. The physicist takes a good look at the chickens and does some calculations, he suddenly stops and says "Ive got it, but it would only work if the chickens were spherical and in a vacuum."" - Big Bang Theory...
  • -1 Hide
    slicedtoad , August 2, 2011 5:46 PM
    So is it safe to say that as an end user we shouldn't be over concerned about personal computer security?
    Here's my checklist. Don't download unknowns, don't password reuse (for the important stuff anyway), get a decent av (like eset) and keep your computer up to date.
    Multi-layered security on a home pc doesn't make sense, nor does 15 character alpha-numeric passwords (in most cases). No one is going to specifically target you or your pc.
  • -5 Hide
    weaselsmasher , August 2, 2011 6:17 PM
    An awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.

    What's this article really about, security or celebrity?
  • -3 Hide
    christop , August 2, 2011 7:20 PM
    Enjoyed this..Wish I had a few 0days sitting around to sell..
  • 0 Hide
    PreferLinux , August 2, 2011 9:25 PM
    pepe2907Good call, but whoever actualy read the license agreements knows software manufacturers refuse any possible liability for any damages.If something is going to change, this should be the first. With these license agreements you can't claim anithing. But this change will not be easy.

    Yes, but whether that is fully legal or not is another story.
  • 4 Hide
    cangelini , August 3, 2011 1:54 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    I'm inclined to answer "security" and a guy who knows an awful lot about it ;-)
  • 3 Hide
    AlanDang , August 3, 2011 2:28 AM
    weaselsmasherAn awful lot of "people like me" "researchers like me" "guys like me" "me me me me me" there.What's this article really about, security or celebrity?


    Nothing wrong with both, right? The people I invite to interview are people who do a good job of explaining complex technical things in a straightforward manner. At some point though, if you get to keynote an international NATO conference on cyber security, you deserve a little bit of bragging rights. But truthfully, Charlie is still a normal, down-to-earth-guy when doing an interview... and that's a win for everyone. You guys get access to cool content that's rarely discussed at other websites, and it's not too boring to read... and it's free. I can tell you it's way more fun talking with engineers as opposed to PR people...
  • 0 Hide
    Anonymous , August 3, 2011 4:29 PM
    @Alan Dang, you wrote: "But it seems like in today's world, the end-user is playing a less important role. The end-user with the latest software updates who is also savvy to social engineering cannot protect himself against hackers who steal credit card data from Sony."
    This is incorrect: many banks sell "virtual" credit cards services: these CC number work only for one purchase, so users *can* protect themselves.
    But the sad part in this case is that it's the security conscious users who pay the cost of the protection against hackers, not Sony and the other stupid companies storing credit card numbers on unsecured servers..
  • 0 Hide
    dndhatcher , August 3, 2011 10:29 PM
    The article is very interesting. I tried to listen to the keynote and my eyes glazed over. He's obviously got expertise with the subject matter, but could use some presentation training before he starts on the lecture circuit.

  • 0 Hide
    slicedtoad , August 4, 2011 12:53 AM
    @dndhatcher
    really? i delayed watching it for a while cause it was long but damn was it interesting. He certainly isn't in PR but he's not bad at speaking. Certainly better than mr. facebook.
  • 0 Hide
    Anonymous , August 10, 2011 10:01 AM
    Battery as an attack vector is at least (almost) as old as the original PSP. One way to install custom firmware to it is to modify the battery. Search for "pandoras battery" if you want to know more.