back to article OMIGOD: Cloud providers still using secret middleware

Researchers from Wiz, who previously found a series of four serious flaws in Azure's Open Management Infrastructure (OMI) agent dubbed "OMIGOD," presented some related news at RSA: Pretty much every cloud provider is installing similar software "without customer's awareness or explicit consent." In a blog post accompanying the …

  1. Pascal Monett Silver badge
    Flame

    "they also add new potential attack surfaces"

    Okay, is it time to stop the bullshit about The CloudTM being easy to use ?

    When it is working (which is not all the time) you have to track your usage (otherwise the bill at the end of the month is a punch in the gut), you have to ensure secure access, and now you also have to ensure against attacks you don't even know about.

    I have a revolutionary idea : how about housing that server in your own server room ?

    1. Clausewitz4.0 Bronze badge
      Devil

      Re: "they also add new potential attack surfaces"

      Housing your own server has been working quite well for the past 40 years.

      Encrypted backups in the cloud? Ok...

      And you are not subject to secret subpoenas. If someone wants access, they will knock on your door.

      1. ITMA Silver badge

        Re: "they also add new potential attack surfaces"

        As I posted in another discussion on El Reg...

        "He (she) who has physical control of the hardware your data/software is on, has ultimate control over it".

    2. Version 1.0 Silver badge

      Re: "they also add new potential attack surfaces"

      "There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies and the other way is to make it so complicated that there are no obvious deficiencies."

      - C.A.R. Hoare, The 1980 ACM Turing Award Lecture

    3. elsergiovolador Silver badge

      Re: "they also add new potential attack surfaces"

      You can still rent a dedicated server with unmetered pipe, slap something like Rancher on it and you'll have your own "cloud".

      Then you notices that the whole thing is miles faster than cloud instances you used to use and then you will have to stomach the feeling that you have been ripped off the whole time.

      1. Joseba4242

        Re: "they also add new potential attack surfaces"

        If running VMs and containers is all you need, sure. That's not what cloud is really about though.

    4. Warm Braw

      Re: "they also add new potential attack surfaces"

      the bill at the end of the month

      While there's been a lot of concern about security, that's the one that doesn't get discussed enough. None of the cloud providers - as far as I can tell - will do anything more than make an effort to warn you if you exceed a budget you define in terms of multiple obscure parameters.

      I'm not aware of any targeted "Denial of Money" attacks, but a hostile party could soon cause a substantial bill. It's simply not good enough that a user's only defence is to be on alert 24x7 in perpetuity.

      1. Claptrap314 Silver badge

        Re: "they also add new potential attack surfaces"

        They exist. These pages covered a story about it.

        It is not clear to me who would execute such an attack. Perhaps an oppressive regime attempting to punish opponents?

    5. hoola Silver badge

      Re: "they also add new potential attack surfaces"

      This takes is full circle. The point of the "Cloud" is that you don't have to manage loads of layers, that is the responsibility of the provider. Unsurprisingly they are going to use all sorts of tools to make that as easy (and cheap) as possible.

      A cloud provider can use whatever tools they want, including anything the develop themselves. That they are use their own custom tools is again, no surprise, it is cheaper and history has repeatedly shown us that a commercial product does not automatically make it secure. The technologies that are used to support and manage their could are always going to be a closely guarded secret as this is the area were competitive advantage will come in.

      What does the author and RSA conference expect?

      1. yetanotheraoc Silver badge

        Re: "they also add new potential attack surfaces"

        "What does the author and RSA conference expect?"

        They expect that people who don't already know what you stated might do something different if they learn about it. Bears shit in the woods might be useful knowledge for someone who is new to the woods and doesn't know anything about bears. Also, there is a battle of misinformation going on. Marketers describing bears as warm and furry needs to be counterbalanced with useful if banal facts like they have teeth and claws, run fast, and can climb trees.

  2. stiine Silver badge

    re: the padlock

    Don't trust any lock. If you want to know why, search youtube for 'the lockpicking lawyer' and watch him open lock after lock after lock after holy shit lock.

    1. Anonymous Coward
      Anonymous Coward

      Re: re: the padlock

      Get a bluetooth smartlock.

      Then he has to get some specialised tools.

      Like a screwdriver.

      1. Wapiya

        Re: re: the padlock

        For things, that are only protected by a padlock, that would be the preferred attack against my padlock.

        Makes insurance claims simpler, when there is catastrophic physical damage to a lock. Proof for a picked lock requires more to get the insurance to pay.

      2. katrinab Silver badge
        Alert

        Re: re: the padlock

        The tools of choice for a bluetooth smartlock are generally:

        - a bit of red bull can

        - a urethane mallet (piss hammer)

        - a magnet

        - a paper clip

        - a wave rake

        Only one of the above, not all of them

  3. man_iii
    Megaphone

    It is normal in every Cloud

    If you wish to monitor and log your cloud resource using the cloud providers services you get to install their agent . in azure its called omsagent.

    I gotta say if u go "cloud" it does have advantages. Without good architects and support staff you won't get good results in ANY platform.

    IT is not for idiots to implement. That includes "cloud"

  4. Anonymous Coward
    Anonymous Coward

    The Cloud

    Other peoples computers you have no control over

  5. NoneSuch Silver badge

    I'm Not Psychic, but...

    "While a different type of MFA at each checkpoint definitely adds an additional layer of security, it's unknown how well users would adapt to the user experience friction created by needing a different form of MFA for each granular access request."

    Badly.

    1. yetanotheraoc Silver badge

      Re: I'm Not Psychic, but...

      I think you _are_ a psychic. Can I play?

      I see a giant opportunity for a Xage app to handle the multifarious MFAs in one location, thus salving the users' friction.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like