among the many crimes of which the “cloud” meme is guilty, the return to prominence of the ignorant, fearmongering, security “expert” ranks high. in the past few weeks we’ve had infoq proclaim the new aws console insecure because it uses passwords, based on this non-post. let that sink in, i’ll come back to it. we’ve also had the geniuses at computerworld turn this verbose and uninteresting blog post into the piracy apocalypse because, horror of horrors, ec2 lets you pay to run arbitrary code and move arbitrary bits.

passwords

aws console using passwords is a security flaw? seriously? can you social engineer password/password resets out of amazon support folks? harder than you might think, and at least as hard as getting some help desk shmo at your enterprise here to give you access to the corporate network. heck, don’t even call in, just email an appropriate chunk of tasty code to anyone in the joint and have the computers harvest the credentials for you.

the notion that the aws console in any way changes this equation is absurd. the console provides no new functionality. got it? it is a gui. if they could steal your credentials now, they could steal them before. aws gives you an interface to your infrastructure that makes a whole new world of automated and secure management of it possible. the baseline is at least as good as typical enterprise infrastructure (i’d argue it is better). the ease of exceeding that baseline is dramatic. where they see weakness i see strength (and their ignorance).

pirates

the scourge of bittorrent cries “avast, bezos!” and slashes their way aboard the good ship ec2. aaarrrgh! ok, not really. in reality, s3 has had a bittorrent interface since it launched (even mentioned in the article), but for some reason there has not been a sudden surge in torrent-based piracy. as for ec2, well, it’s a service to run arbitrary code. people have been running torrent clients on it almost since it launched. again, no massive upswing in the pirated bits. why? here are 2 big reasons: 1) the services are pay per use, not free and 2) the aws terms of service preclude it and amazon actually pays attention to ToS adherence.

perhaps i am giving computerworld too much credit. i had to stifle a snorting laugh when i read this:

Amazon already supports the BitTorrent protocol through its Simple Storage Service (S3), though a heavy user would likely find this service much more expensive than EC2.

ec2 data transfer pricing. s3 data transfer pricing.

even the casual observer at the back of the room is certain to note the prices are identical. i’m surprised computerworld managed to expand the s3 name given the quality of their “research”. i wonder if they even know enough to be embarrassed.

to all those considering aws: use it! with great control comes great responsibility, and aws gives you, in many ways, more control, more agility, than almost any other infrastructure you can get. the guidelines for building and operating securely on aws are no different from those you’d use running applications on your own infrastructure. don’t let the fearmongering scare you off. this is the future and it is good.