Cloud computing can be a great thing, who knew?

When I went to BruCON recently, one of my favourite presentations was ‘Project Skylab 1.0: helping you get your cloud on’ from Craig Balding.

The full presentation slides can be found here: http://www.feedsite.org/security4all/BruCON_2010_skylabv2.pdf

The thing that I mostly liked about this talk, among with the other great ones, was the fact it really got me thinking and that I had ideas flying through my head as the talk was still being done.

I have always been very skeptical of so called ‘Cloud Computing’.

This is due to the way it is used by companies and within the media, when they use it as such a general term that is trending at the moment. And it is used in such ways that if you add that it is ‘in the cloud’ the your product must be undeniably amazing.

I have also been skeptical of it due to the fact that when using these services, you are expected to just trust the company you are using, when they don’t really give any indication that they are trustworthy, apart from them perhaps having a well known name – and just because your company name is amazon, or Google, does this mean that I should trust you more with my data than a random stranger in the street I’ve never met before?

But as Craig pointed out, there are 3 layers in the cloud services model (which I didn’t realise):

Software as a service (Saas) – which is the basic one that everybody has heard of,

Platform as a service, and the last layer (which I hadn’t heard of),

Infrastructure as a service.

Now I found this last service really interesting, mostly as he was using examples that could relate to specifically to the security industry, but it was also the service that had me thinking about the possibilities and real advantages that cloud computing could have to me specifically. This is another reason I had never really cared much hearing about cloud computing, as I had never really thought of any great advantages that I could have testing, or exploiting.

I’m not going to go into great detail of what Craig discussed in his presentation, as (even just for the cool slides) you should check them out for yourself (link at top).  But an example that I specifically remember is the idea of being able to use infrastructure as a service easily for password cracking, as you could use VMs on demand, distributing the cracking over the many VMs, and if you wanted it quicker, you could just pay to use more VMs.

At last I’ve found a reason to actually really look forward to cloud computing, and this also doesn’t have as many security concerns, (for me at least, which after all would be my main concern when using cloud computing) as most uses would be on an on-demand basis, so the data used probably wouldn’t be that important, as I wouldn’t be expecting to keep it. And if there was, you could always build a personal server for cloud use of important data.

In the end it was a good presentation, that really got me thinking, which is probably why I enjoyed it so much. And I advise you to check it out yourself.

The video of the presentation should be available shortly through the BruCON website http://2010.brucon.org/

Brucon 2010 - my thoughts

This was the second year of BruCON, and my first time and my first time at any security/hacker conference at all, so as you can imagine, it was a little disconcerting.
To start off with it was a bit scary, going there on my own (I was supposed to be going with friend who couldn’t make it), country I'd never been to, and using language I didn't know, and since I’m just a student at university, spending a lot of my free time studying security and trying to keep up with everything I already felt a bit of an outsider to the whole community there. I didn’t really know anybody there (by that I mean I’ve spoken to a few of the people on Twitter, but it isn’t the same). And there’s also the fact I don’t actually work in security, I don’t work in the same environment day in day out, so there will obviously be a lot of stuff that is way over my head, as I am still just learning a lot of the stuff.

Due to the fact that I didn’t know many people, I still spent as little time as possible socialising (not sure whether it was the best tactic or not), but this meant that I spent all the time in presentations and workshops.
And if I was forced to describe the whole thing in one word, it would be awesome!



Obviously, there were some presentations/workshops better than others, but this is just a human reaction to compare things. But the best presentations and workshops were the ones that got me really thinking about that specific part of security, like Didier Steven’s workshop on malicious PDF analysis, or Craig Balding’s presentation on cloud computing and Chris Nickerson’s presentation, “Top 5 ways to steal a company” which ended being edited slightly.


I wish I had tried more to socialise though, as once I had got into it (mostly on the second day), it was really interesting to talk to people about things I did and didn’t know about and meet a few of the people I regularly read blog posts from or follow and talk to on twitter.


I wish I could’ve made it to a couple of the other workshops, like the DVWA and lockpicking workshops, and Samy Kamkar’s talk “How I met your girlfriend” which I was only unable to attend due to the small size of the room.

I fully intend to be booking my ticket for next year as soon as they are released (and book a hotel in a better location next time), signing up for the hex factor, and perhaps even putting my name down for a lightning talk.
Basically, I thought BruCON was great, and as long as I can make it, I will be going next year, and hopefully go for the training on the days before.