Cloud Software

Two years ago I sat in an auditorium and watched an enraged  Mikko Hypponen of F-Secure on stage at LinuxCon Edinburgh talking with passion about the double standards of the intelligence communities dealing with their stance on encryption. He was beyond furious at the methodologies and underhand ways that the US and UK intelligence services had burrowed into undersea cables and broken into communications at many of the technology and internet companies that we take for granted daily, with impunity.

Now heres the thing. I am the only member of the open source community - in the entire world, who has gone on the record on tape with somebody from the White House to ask them, openly, about their stance on post Snowden world for handling things like Heartbleed, like encryption and their relationship with industry and inter agency and inter ministerial responsibilities when handling security issues. I interviewed Richard Clarke now former Senior Cybersecurity Advisor to POTUS and former senior security advisor to four previous Presidents of the United States, the week of Heartbleed and he volunteered information that I never even asked for in a candid interview on my radio show (still available on Stitcher by clicking here).

So imagine my surprise this morning when I sit up in bed and read an article on the BBC news portal with Rob Wainwright from Europol who is complaining about the stance that technology companies are now having to endpoint security, to key management and to proper end to end, in transit encryption of data in the cloud. The point Europol make is that by the proper management of SSL traffic and the more intelligent use of encryption in AMQP and other protocols it makes it harder for the intelligence services to listen to potential terrorist traffic.

Now I have to be very circumspect and proper here in how I write this article to avoid arrest. I have signed the Official Secrets Act. I have worked within GCHQ. I have been involved with the design and implementation of secure communications and encryption endpoints to Top Secret and above. I do know where the bodies are buried with regard to the weak and lax vendor acquired devices that have formed the basis of government, agency and defence spending for the last seven years.

The fact that the current and former UK governments (and their US counterparts) alongside many industry partners across multiple verticals buying the same kit have overpaid for  weak industry acquirable catalogue standard run of the mill technology. Badly written, badly managed by their vendors (for once not the governments fault) and walked blindly down alleys. This has allowed accreditors with weak understanding of cipher management and underlying dependent libraries, binaries and protocols have allowed literally hundreds of millions of pounds to have been spent on devices with less security certification than an iPhone6. These devices sit in frontline daily use today across the EU and the US. It's farcical that many governments have approved catalogues where they have approved vendor lists for devices, many of which are so badly broken and so compromised in their design and implementation that the poor accreditor or purchasing manager armed with a requirement,  an accredited service catalogue is therefore buying an outdated inferior product for four times the cost of building it properly using current shipping available code. There is NO liason, co-operation, upstream engagement, engineering or security engagement between these vendors and their outdated OS source. None. At all. Can I make this any clearer. The people shipping the boxes running the embedded Linux that powers and protects our end points reliant on nation state security DO NOT talk to the people releasing and developing it. If you were not scared before you have every right to be now. I've got the actual sources (from the vendors with their consent under GPL compliance) of a few of these devices numbering the tens of thousands in their deployment and it's beyond scary. If you were to go back in time via Distrowatch to January 2009 you would see more current, more valid sources to base your security on.

It's terrifying, if not vaguely criminal, certainly deeply unethical, that these vendors have been allowed to make hay while the sun shone, and have not engaged with the upstream OS vendor, the SSL community nor had the brains to understand the downstream implication to their government customers and have now put at risk the entire infrastructure and emergency response capability of their customers reliant on their devices.

Even when warned in writing those government agencies and accreditors because they are hamstrung by weak upstream advice on SSL and encryption ciphers and key material, through ambivalence, have instead walked hand in hand into one of the biggest potential security nightmares they can imagine. Worse there is nothing today they can do other than rip it out and start again across UK, US, EU and many member state governments whose assumptions around encryption at the core of many services is broken.

If Europol are serious then it's time they worked upstream to secure the devices that have formed the basis of the planning and infrastructure of their government partners. Instead of moaning about not being able to watch us, they should actually be asking, who is watching us ?

You can't have it both ways. We react as an industry because we form best practices. The eyes of the community are on Open-SSL to race to make sure that the fixes that have come out since Heartbleed (I was the first person to get the Heartbleed story to ZDNet the night it broke) are stringent. The fixes that have come out in three tranches since October to further harden basic function calls reinforce that. Expect to see more in the coming weeks and months as further scrutiny is poured on older functions and calls. As the implementation of PKI across Cloud and across telecommunication products and services is hardened to enforce customer security and reduce risk of man in the middle attacks and the likely attack on weak endpoints then it reduces the attack vectors and the threat fabric.

In the Open Source community we are entirely open, practical and totally enshrined on ensuring that we release early and release often and that we work stoically to get patches out to protect people reliant on secure auditable code. We don't always get it right but it's therefore even more shocking how badly many companies who then take that code to build devices forget why and where and how it came to be. Thats especially true of many supplying sensitive areas of the target market where the threat fabric is larger and the attack vector surprisingly large.

Expect the bad guys to go after the soft targets, if you're an Android user then security through obscurity, e.g throw out your phone and tablet every seven or eight months and replace them given your vendor is probably clueless (unless its Google or Samsung), if you're an Apple user you can sleep easy as long as you don't use a myriad of apps any one of them that could be handling a listening function to a service harvesting your information or device credentials.

We aren't reacting, as an industry, to lock out police and intelligence services, to state that is beyond stupid. We are reacting to protect ourselves and our customers because of the ham handed, without recourse manner that GCHQ and the NSA and other government agencies have behaved and now we're locking down upstream and mainstream services to assure companies and individuals that they do have the security they always assumed they have.

What Europol should be doing, if they understood how to engage - which clearly they don't, would be sitting down to work with us to understand how and why and where and to foster better working practices. Until that day happens then its back to the old days of seizure of devices only now the issue is that they can't read, open or interpret them, even under warrant, even with industry partners or complex rootkits.

Sadly, gloss will be painted over the fact that the technology that they've acquired themselves is so 1998 in it's design and implementation that as I pointed out it should be more worrying as to who is watching them, and more focus should be spent on fixing that in the short term. Only issue they have there is that the vendors can't help them as the vendors have only one focus, revenue. The vendors themselves don't talk to the OS vendor. How do I know this ? My phone hasn't rung and we've never spoken to them. They're too busy making money from shoddy reimplemented badly coded, badly repackaged outdated insecure code selling it to governments who accredit it secure.

This is fixable. Issue is that the right people don't sit down to fix it or to emerge from the tunnel into daylight able to even understand the core problems. They're too busy making blanket procurement decisions to buy the wrong kit from the wrong people. I'd be more worried about your own infrastructure decisions than technology companies doing their job right to circle the wagons and lock you out.

Now for those who question my authority to make these claims remember it was my security invention that protects and ensures the online safety of millions of people every single day globally, from school children across the UK and US school districts to retail businesses, hotels and motorway service stations and the myriad of devices and platforms that took their lead from our sources. For fifteen years I've made a career out of keeping people safe and doing it openly and trying to do the best I possibly can to get people to play nicely. It would be nice if someone listened and sat round a table and did something practical.

Who wants to bet nothing changes ?

So it's the festive season that has crept up on us already. Seasons Greetings folks !

Now an apology

The last five months for me have been a blur. I've been locked away writing a new portal thats launching at Red Hat in the New Year as well as working hard on the ever growing Cloud portfolio at Red Hat.

The blog has suffered because I've been more or less writing for a living and not having a single moment to myself to concentrate on getting new editorial out there. Also with the new Red Hat Cloud blog going live so soon I wasn't sure as to whether I'd kill this and just concentrate on stuff. However its now obvious that with everything I commercially write having to go past a team of fedora wearing legal eagles that to drop this conduit to the public would be stupid. Here I can post pretty much whatever I decide to within reason as I own the domain and the service.

So some new stuff thats coming up. In the New Year we launch a new portal - which is live now with a holding page and that will be featuring a cadre of some of the best talent at Red Hat, John Mark Walker, Thomas Cameron, James Kirkland, Jon Masters, Bill Bauman, Jon Benedict, Dave Neary, Rhys Oxenham, I'll be writing and broadcasting from there too. We could and should have gone live this quarter but if you hadn't noticed Red Hat had a HUGE quarter just published, continuing our steady and reliable market growth. With Cloud and non RHEL revenues now growing double digits year on year you can understand why we haven't had time to record stuff in our own spare time.

Also, I am relaunching The CloudEvangelist Radio Show thats sat dormant since June 12th. I've recorded two shows already and I'm doing a third between now and New Year with two special guests. Expect that content to go out over Christmas vacation period now I have downtime to concentrate. It will be available on Stitcher, Podfeed, iTunes and all the usual locations so watch for the launch post with links to those locations and the NEW RSS feed. The old RSS feed is dead dead dead - please delete it and add the new location when I announce it.

Other stuff. I am in talks to write a book with a legal eagle here in the UK aimed at the CIO talking about cloud law, intellectual property, cloud security and basic stuff to keep folk out of jail.

FOSDEM comes up 30th January in Belgium. I will be attending with the Red Hat crew so if you're coming out come appear on the radio show I will be recording for a fourth successive year.

So for now, from the family here at Red Hat, my family here in the South West of the UK, I raise a glass to your good health, thanks for staying the distance and look out for the radio stuff I release in the next few days.



I have been fortunate enough to be a week into a fortnights vacation away with my wife and kids at our holiday home in Spain. So right now as I look out across a beach to the sea with Gibraltar in the distance and the temperature dropping from its afternoon highs, nursing a cold beer, I've been able to fully catch up with every video released from OpenStack Summit in Paris which I wholly deliberately chose not to attend for once. I needed to recharge batteries badly and it was my genuine health or the insanity of Paris and the hubbub and noise of overfilled rooms and mass lunches and rain vs a hot sandy beach, long drinks, my amazing (decade younger) wife in a bikini and Spanish beer and food. The latter won. I make no apologies for wanting to take two weeks off for the first time in twenty five months. Anyone wanting to argue the difference needs to understand I can drown you in a the shallow end of any of the resort swimming pools as soon as look at you, after this week, I have practiced my technique. I am Aquaman of the Marriott set.

So over to OpenStack Paris 2014. The view from my sun lounger.

I've watched from afar like a demon this week. It's been great to catch up online and watch all the sessions. Actually when you're at the Summit there are sessions overlapping so you can't be in all places at once and while not all content was video'd and online the content that is there is superb. Hats off to the foundation for getting it there so fast too. You can watch the content here. Congratulations to the Red Hat team for getting so many talks accepted and the delivery of the content.

One thing is very clear, there is still enormous drive, passion and mass determination to make OpenStack releases qualified successes. Nobody can detract from the earnest efforts of all parties no matter who the contributing employer is.

First shot across the bows - my boats bigger than your boat...

Let me get one thing very straight from the get go. One thing I was very glad to see this Summit from the videos and decks that I've seen as a remote watcher. Paris seems, somewhat thankfully,  to have had a lack of the marketing BS that has become so prevalent with the constant who is the highest ranking contributor to the project as a whole. We're professionals no matter what tshirt or cap or hat you wear and who pays your salary. We're chasing a common goal and waving willies about in public to say who is the biggest or who is the best is just incredibly poor taste and detracts from a lot of the interworking and common core goals that the OpenStack Foundation are attempting to deliver. This is about good code, influencing major adoptable change in how we help people get the infrastructure that fits their cloud business case and frictionless IT. If you are scoring points what else are you missing when it comes to understanding what first world enterprise IT want ?

There are distributions out there, I work for the company who are trying their hardest to make sure it delivers what the market expects building on years of enterprise experience with Linux and putting the best engineering talent behind that gains recognition from the markets wanting to trial and consume it. Those consuming enterprise customers markets don't need or appreciate a poorly conceived marketing slide that is at best oneupmanship, at it's worst just a 140 character land grab, it has no place in thought leadership. Period. Don't tweet me or send me a deck or marketing swag with it on or I'm getting the elephant gun and my steel toe capped boots on and going hunting.

So now I've got my  pet moan out of the way lets talk shop as an external watcher perceiving how the world is consuming OpenStack latest greatest in bite sized chunks.

First up, keeping it simple

OpenStack has aggressive release cycles, has a multitude of sub projects and a host of goodwill and contributed code that deservedly allows it to rank as the leader of the upper echelons of Open Source goodness. A shining beacon of how to do things and achieve both success from a release and maintenance perspective but also of marshalling talent and consumptive code contributions from individuals, companies and projects to come up with a release cycle that is hard work to maintain against. My congratulations - and genuine admiration - of those involved many of whom I know and respect hugely can go on the record here as it has in presentations and podcasts I've released all over the world.

One issue is perception by the watching consuming public and the enterprise architects and that is the need, the fundamental core principle of keeping it simple. Plainly put Icehouse and Juno are still seen as rocket science to many in core consumable released non supported format. I watched one video from the team at Rackspace that called it exactly right and I hope that it gets some airtime and credit as it was right on the money as a call to arms for the Foundation and the maintainers to get to a point where ease of use has to be a mission statement. Fostering ecosystems is critical, bringing functionality into the core is a constant need.

Do we need any more plaudits ?

Not knocking Jim Zemlin in his keynote as anyone else blowing hype and sunshine up our combined asses as to how big "a blockbuster" is simply needs to stay home, the last thing you need to do in a room full of excited OpenStack types is to pat mutual backs and inflate already inflated egos. What's actually needed is more critical leadership around concentration on maybe looking to increase the width of the release window (six months is overly aggressive and actually makes new adopters shrink back in fear) and to educate and mentor maintainers of sub projects as to the needs to increase the fundamental ease of use of their functions and core capabilities.

Also - are we solving the problems that actually are relevant in the marketplace ? Are we moving at such a pace that we're not engaging with required functionality and getting instead the sexy stuff like SDN in there because it's en vogue ?

Right now, today, I see more, bigger, mainstay companies who have deployed Apache CloudStack over OpenStack and these aren't small organisations they're big companies, because it does what they need to and it doesn't terrify the life out of them. If OpenStack is going to be in that same vein, remembering that the Apache CloudStack ecosystem combined with the clueless parent company has 0.1% of the mindshare and the groundswell push behind it then it has to do basic stuff better. Some of that is packaging, fairy dust, documentation and means that Foundation and contributors need to engage better with their future consumptive masses.

For us, we take what is out there, polish it, build it into a supported product with a pedigree and core function behind it and deliver it to people who want to feel safe. If I was a CIO today looking at OpenStack I'd want to match core fears of "being able to keep up" with a comfort factor of having something supported. At the core the functionality and the best practices need to tighten up to allow OpenStack the success it deserves. Theres a very real chance it will miss a high percentage of its goals if it doesn't listen.

My genuine admiration and worthy applause goes out to all speakers, panellists, those on booth duty and who took time out to attend. Me, I was on a beach with a beer. Genuinely, right now as yet another cold beverage disappears and the light fades over the white stucco plaster of the houses here in Estepona on the Costa Del Sol I need to be convinced that catching up via YouTube, Twitter and the polished editorial of Steven J Vaughn Nicholls et al isn't a better way to do Summit than fighting for a seat in a crowded room and queuing for a mass meal with 4600 other attendees.

Kudos to all of you who did make the effort to go.

Yesterday I was at London Ceph Days, an event co hosted by Red Hat and Dell talking the latest Ceph goodness. Great venue near Barbican, well attended but for those who couldn't make it or geographically seperated by distance I thought I'd take a mini studio of HD video cam, and some small studio lights and do a recording with Russ Turk VP of Community at Inktank, now a Red Hat company.

Always a pleasure to talk with Russ, we have a mutual employment history going back a long time and he's genuinely passionate about storage, cloud and the open source movement that we've spent so long working to prosper.

Here's the video. It will scale up to 720 and 1080p if you change your viewing options accordingly.