In this episode, we dive deep into a recent and highly sophisticated SSH intrusion attack that was discovered in the Linux kernel. We’ll discuss how the attackers were able to inject a backdoor into a critical compression library, leveraging social engineering tactics to become a trusted maintainer over several years.
Tag Archives: Security
UEFI Trust & Secure Boot Issue
We explore the UEFI certificate issue in which secure boot is potentially compromised. Certificates that are included in most UEFI BIOSes have been compromised in ways that could easily be used as an attack vector, a very significant flaw and something that should be on your purview and radar to fix and patch.
We’re going to talk about what the issue is, why it’s important, how secure boot works, and what you can do to mitigate this problem in your own infrastructure. An important episode for anybody running or managing desktops, data centers or any infrastructure of any type.
Transcript: otter.ai/u/H15Z2NZDom8Hta8gHJ…?utm_source=copy_url
Identity vs Privacy? Trade-offs required?
How can digital identity be used to build better trust and systems in our daily transactions? There are really significant challenges and consequences to having a national guaranteed identity – a single identity provider.
Knowing who you’re interacting with, in every form, in every situation is not as simple as you might think. There’s a lot of analogues to physical identity that are worth considering.
What would it mean for us to not have privacy? Does identity mean we don’t have privacy in our interactions? Who can we trust and what authority do they have?
Transcript: otter.ai/u/o_43fyGjxu24Ur5rpz…?utm_source=copy_url
Image by Dall-e prompte: a cartoon like image of a humanoid robot looking into a mirror and seeing a masked pirate version of itself
Domains And Access For Metadata
What actually is used to describe the provenance and information that comes with our data? Today we discuss metadata and the governance, security, hint, domains, date that accompany data in ways that in some senses are more important than data.
How can we move, change and transform data? We had a really robust conversation about how access to data is so critical in actually understanding how data is used.
This is a topic we struggle with: figuring out the naming, how things work, and the context. More than anything else, the context makes things challenging. As you listen to this, think through how challenging it is to define data, data governance, and using data effectively.
Transcript: otter.ai/u/VE2u_jTwG_h4z9ewfI…?utm_source=copy_url
Image: www.pexels.com/photo/cheerful-bl…hoolkids-5905918/
Data Cartels Book Discussion
The book Data Cartels by Sarah Lambda serves as a starting point for our discussion today. www.amazon.com/Data-Cartels-Comp…ion/dp/1503633713
A dense and thoughtful book, it is straight up the alley of the type of conversations of the2030.cloud has. Our analysis of the book and the challenges it provides – the data compliance governance, the legality, the threat, and broader implications of what Dr. Lambda lays out – are all really important.
Today’s podcast is understandable and interesting without having had to go through and read the book, but I still recommend that you do.
Transcript: otter.ai/u/T5CJzO8pMrpGnLVGo4…?utm_source=copy_url
Image: www.pexels.com/photo/lady-justic…-a-gavel-6077123/
What is Zero Trust?
How can you execute on a zero trust strategy and what do you need to keep in mind while building it? Today covers the 101 and 201 levels on zero trust.
We had a really good conversation about how it works, what doesn’t work, what you need to be prepared for. Even if you think you understand zero trust, you will get something out of this conversation. And if it’s a new topic for you, you can also benefit from this pragmatic discussion of zero trust, security and application architects.
Transcript: otter.ai/u/Z1SO1WuJYT3JmEctZe…?utm_source=copy_url
Image: www.pexels.com/photo/wooden-chai…ll-studio-963486/
Meta Data, Dark Data and Intent
https://soundcloud.com/user-410091210/meta-data-dark-data-and-intent
Data comes from many different places, sources, and ways. Some data we call dark data, which is data not accessible to you, and all of it relevant. Today we talk about metadata as part of the governance control management exposure of data.
An important layer beyond the data itself is the governance intent, how people access it, and how you combine data. We discuss exactly what that is, but still only touch the surface.
References:
yago-knowledge.org
en.wikipedia.org/wiki/Ontology
Transcript: otter.ai/u/rP_4gi-iDont0r2CaZ…?utm_source=copy_url
Image: www.pexels.com/photo/apples-and-…n-books-14098062/
Rob’s Hot Take:
In the Cloud 2030 Podcast episode on metadata and building a data control plane, Rob Hirschfeld emphasizes the challenge of controlling data egress due to its diverse sources and destinations. He contends that rather than attempting to create a locked box for all data, the focus should be on embedding information, particularly metadata, to control data consumption. Hirschfeld envisions a distributed system for a data control plane, involving multiple parties managing and providing consistent rules for data use, acknowledging the complexity of data storage across various locations. He encourages listeners to explore the insightful February 2nd episode and engage in ongoing conversations at the2030.cloud.
Infrastructure Governance As Code
We continue our Governance as Code discussions in today’s episode.
We started by very broadly looking at Governance as Code generally, but quickly drilled down into Infrastructure as Code meets Governance as Code focused discussion. Understanding that intersection is critical to building something that is both automated and governable.
The topic explored how we audit controls for systems. We also need to make sure that when we build infrastructure, it’s following our policies. The challenge here is making sure that what we’ve automated is conforming to our governance.
Image: www.pexels.com/photo/group-of-pe…tructure-2100942/
Transcript: otter.ai/u/-vI03TkWcLpvTIBRrrKE9DugYvw
WTF My MFA is MIA
How do authorization systems need to be built and made resilient for distributed infrastructure? We discuss how having a single centralized authorization system is incredibly fragile compared to distributed edge infrastructure.
Everything we build has some element of distributed component tree and resiliency in it, and we need to make sure that the authorization systems are included in that analysis.
We explored how you can make MFA more resilient and how you can improve the security of authentication by building additional layers of trust based on behaviors.
Transcript: otter.ai/u/KTg3WSqSKuswLIypoBwD4HyMzcA
Image: www.pexels.com/photo/hand-holdin…sh-drive-5474298/
Rob’s Hot Take:
In the April 28th Cloud 2030 Podcast, Rob Hirschfeld delves into the challenges of implementing two-factor authentication (2FA) in distributed infrastructures with centralized authentication. The critical problem revolves around creating resilient systems that don’t solely rely on external factors for authentication, considering the potential impact on every service and component in the infrastructure. The discussion emphasizes the importance of behavioral analysis in authentication, scrutinizing user behavior to ensure trustworthiness, especially in scenarios where full authentication is not available. The full conversation explores these aspects in depth, providing valuable insights for building resilient infrastructure. Join future discussions at the2030.cloud.
Can Machines Update Themselves?
We know that humans have trouble keeping systems updated, but… how can we address the challenge of knowing which updates are required and, critically, if the updates with break other systems? Even knowing if they worked is a really thorny problem!
In this episode, we focus on actions about what’s going on and why this problem has persisted in industry for so long. Starting from the news of the day about CentOS 8 mirrors being taken down. That’s exactly the type of challenge we are facing when we think about where updates and repos are coming from.
Transcript: otter.ai/u/rRMIT6kkTTtyWrzdBnuq63nvKuE
Photo: www.pexels.com/photo/a-man-using…quipment-5996696/
Rob’s Hot Take:
Rob Hirschfeld, CEO and co-founder of RackN, discusses the challenges of system maintenance and lifecycle in the Cloud 2030 podcast. He emphasizes the difficulty of keeping systems up to date and understanding dependencies, leading to a lack of confidence in system updates due to the fear of breaking or degrading them. Hirschfeld advocates for a change in the industry to prioritize test and verification practices, enabling more effective and confident system updates.