[lug] Why is it SO easy to destroy cloud environments?

Paul E Condon pecondon at mesanetworks.net
Sun Oct 21 10:19:14 MDT 2012 

For the tapered screw threads, there was not a government mandate,
there was a consensus standard of the industry, and NBS was the
maintainer of the physical reference objects. NBS and, I think, also
NIST never has regulatory authority. They also provide calibration
standards for all sorts of specialized test equipment, thermometers,
voltmeters, etc.

While writing the above I thought of a valid reason to have government
regulations that apply to the cloud specifically. There is a
possibility that a business that is engaging in an illegal activity
will keep its records in the cloud precisely because destroying the
records in the cloud is much easier and faster than burning paper in a
incinerator. Unless this possibility is dealt with by consensus
standards, there is no possibility of avoiding government regulation.
There will never be a time when there is no government, and there is
a long history of the behavior of government. Where there is criminal
activity that comes to light, there is government response. 

About the original issue, instant destruction of whole environments, I
think it can be addressed by changing the behavior of cloud software
in a simple way: Instead of simply destroying the environment, the
software sequesters it is some sort of 'jail' where it is inaccessible
except by special access rules that involve a lot of special actions
in order to regain access. The environment remains in this sequestered
state for a longish period. For the developer who wants to destroy his
creation, it is effectively gone, and sequestration is no restriction
on his freedom of action. But for the business that has an employee
who made a mistake there is a possibility of a recovery. And for the
criminal business there is the near certainty of a Court ordered
recovery of the environment. Now, it takes discussion of competent
people to work out the details and implement them.

But maybe the government is the origin of the destroy command. Maybe
the CIA wants the destroy command to be universally available, and
has issued instructions to all developers of cloud control software
to have a fully functional destroy command or ... else. They want
the command to be available for some secret reason, and they have
also made it clear that the 'else' would happen to anyone who complains
in public. Now that is a really paranoid idea. Can you top it?

On 20121018_103206, David L. Willson wrote:
> <insert obligatory rant warning here>
> 
> I appreciate your desire for safety, but I do not have a matching desire. Give me more speed, dammit. Where's the throttle on this thing?
> 
> I'll take the backups, or I won't, and it will be my choice.
> 
> 'sw'elp me ... If I end up limited in my ability to set-up AND tear-down environments quickly ... by the goldurn government and it's techno-illiterate thugs ... because of the efforts of my own ~friends~ ... I may have to give up hope. THAT would be worse than GoDaddy endorsing PIPA/SOPA/rope-a-dope-a.
> 
> If you don't like this level of convenience on this particular operation, disable it. If you can't, complain to the maker of the product. If they don't care, choose another product. If every product offers functionality you don't like, make a new one, and maybe folks that think like you will help and/or buy your new product.
> 
> Do NOT force your preference on me by a government mandate. Please.
> 
> --
> David L. Willson
> Trainer, Engineer, Enthusiast
> RHCE Network+ A+ Linux+ LPIC-1 Ubuntu
> Mobile 720-333-LANS(5267)
> 
> This is a good time for a r3VOLution.
> 
> ----- Original Message -----
> > Rob,
> > I lurk on this list. I started when I moved to Boulder County from
> > California nine years ago. I'm a retired physicist who has been
> > following Linux since late in the 1990s, never reaching anything
> > approaching expert status. I also follow politics by lurking on
> > the web.
> > 
> > It seems to me that your concern is much more than an annoyance to a
> > programmer. Leon Panetta (sp?) is in the news recently raising
> > alarums about terrorists attacking our cyber infrastructure.  Your's
> > is an issue of national importance. I can't do much about it other
> > than encourage you, and point out to you a local government
> > organization that might be able to help, and to maybe act as a
> > concerned citizen go between in case you have concerns about rattling
> > the chains of local bureaucrats. (Boulder is still a pretty small
> > town
> > by national standards.)
> > 
> > NIST has a long history of working with industry to develop national
> > standards on all sorts of industrial issues. (I remember seeing at
> > the
> > old campus of the Bureau of Standards, (NBS) some really big tapered
> > screw threads, which were described to me as the primary standards
> > for
> > the threads on the ends of lengths of drill pipe in the oil
> > industry. NIST is the new name for NBS. )
> > 
> > According to the NIST website, they have a program in cloud
> > computing.
> > They should be interested in your rant/concern. If you have tried to
> > talk to them and failed to get thru to anyone who appreciates the
> > problem, Jared Polis is our local Congressman. Like all
> > Congresspersons, he maintains a local office and a local staff mainly
> > for the purpose of helping people who want help from the government
> > bureucracy. It seems to me that in the current political climate,
> > belief that small business is the carrier of the American dream is an
> > article of faith. There really should be a vigorous response to even
> > very gentle prodding. If you don't think you can handle talking to a
> > politician, I can front for you to keep your name off the radar
> > screens of political wackos. But realize I'm not an expert in cloud,
> > or any other type of, computing. I may muddle the situation, if I get
> > involved.
> > 
> > It's OK for you to show this letter to anyone who questions you about
> > doing more that ranting on this issue. I think it's your civic duty.
> > 
> > On 20121009_114342, Rob Nagler wrote:
> > > > I can't believe you found it within yourself to type that... even
> > > > in jest!
> > > 
> > > This is very serious to me, and why we have no production VMs at
> > > bivio.  We use the cloud, but only for development and test
> > > purposes.
> > > 
> > > How is "juju destroy-environment" any different than my for loop.
> > > 
> > > Here are the account cancellation policies for Linode and AWS:
> > > 
> > > http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/index.html?cancel-ec2.html
> > > http://library.linode.com/linode-platform/billing#sph_account-cancellation
> > > 
> > > Just for reference, here's what it says when I click on Cancel
> > > Account in AWS:
> > > 
> > >  Account Cancellation
> > > 
> > >     Once you select to cancel your Amazon Web Services account, you
> > >     will
> > >     be required to sign up as a new user to begin using AWS again.
> > >     All of
> > >     your current data will permanently be deleted and you will
> > >     immediately
> > >     lose access to Amazon Web Services.
> > > 
> > >     Are you sure you want to cancel your AWS account? NOTE: You
> > >     will not
> > >     be able to undo this cancellation.
> > > 
> > > The last line is amazing.  Your backups, snapshots, data, VM
> > > config,
> > > etc. are all going to be gone if you click "OK".  I've done this,
> > > and
> > > they are gone, forever.
> > > 
> > > Every cloud platform I've seen has this "Destroy World!" feature,
> > > which actually, is much easier than "Hello, World!".  Way more
> > > clicks
> > > to create and configure a single VM than to destroy your entire
> > > platform.
> > > 
> > > I think we have learned nothing from our past.  Read this article
> > > by
> > > Brian Reid from 1986:
> > > 
> > > ftp://rtfm.mit.edu/pub/reid.txt
> > > 
> > > This is worse than a screwdriver with a gelignite handle.  It's
> > > more
> > > like a screwdriver with a bunker busting bomb attached to the
> > > handle.
> > > 
> > > I have talked to numerous so-called experts about this problem, and
> > > nobody has 1) even thought of it, or 2) come up with a workaround.
> > > Even if you do "rm -rf /" on a real server, it doesn't destroy your
> > > backups, too.  It won't destroy disks in a vault, ever.  It doesn't
> > > destroy the physical computers.  Also, btw, it doesn't happen very
> > > quickly on a system with TBs of data.  Somebody would have to be
> > > pretty sneaky and really good to kill a large site by running rm
> > > -rf
> > > on all servers without you noticing.   "Destroy World!" is
> > > instantaneous.
> > > 
> > > I've been working in distributed systems for decades.  I have done
> > > some really, really dumb things, which were all recoverable.  As an
> > > example, I was the creator of the rsh configuration which amplified
> > > the problem in Reid's expose above.  There are some real issues
> > > with
> > > automation to this degree, and I learned that lesson in 1986.
> > > 
> > > It's only a matter of time before some large site goes down, hard
> > > and forever.
> > > 
> > > Rob
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > Join us on IRC: irc.hackingsociety.org port=6667
> > > channel=#hackingsociety
> > 
> > --
> > Paul E Condon
> > pecondon at mesanetworks.net
> > 
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: irc.hackingsociety.org port=6667
> > channel=#hackingsociety
> > 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety

-- 
Paul E Condon           
pecondon at mesanetworks.net

More information about the LUG mailing list