Love your country, but never trust its government

Hacker News Daily 上看到的,在 Sun-2 的 bootloader 裡可以看到「Love your country, but never trust its government」這樣的字串:「Why the Sun 2 has the message "Love your country, but never trust its government"」。

這段字串是由 John Gilmore 當時在 Sun 開發時所放入的,John Gilmore 同時也是後來 EFF 創辦人之一,不過當初放入這段字串的目的是為了抓到盜版:

Yes. Vinod Khosla, first President of Sun, came to me at one point and said to put something hidden, triggered in an unexpected way, into the ROM Monitor, so that if somebody cloned the Sun Workstation (violating our software’s copyright), we could do that unexpected thing to the competitor’s demo workstation at a trade show and thereby prove that they had cloned it.

過了三十年後 John Gilmore 被挖出來問的回應也是蠻有趣的... (可以參考原文附上的信件)

而這句話現在回頭看也很經典,尤其是最近各國政府想要在 crypto system 裡面放後門的各種反應。

Amazon EC2 預定要推出的 Dedicated Hosts

Amazon EC2 愈定要推出新的購買方案:「Coming Soon – EC2 Dedicated Hosts」。

Dedicated Hosts 的租用是以整台主機為單位,以確保整台實體機器不會有其他人使用,對安全性的要求會比較好。這邊拿 c3.xlarge 來舉例,一次就是八台的費用:(這邊「八台」的數字是未定的,真正的數字要等正式公告上線後才知道)

Each host has room for a predefined number of instances of a particular type. For example, a specific host could have room for eight c3.xlarge instances (this is a number that I made up for this post). After you allocate the host, you can then launch up to eight c3.xlarge instances on it.

會有這樣的需求主要還是因為有些軟體還沒有適當的 cloud-based licensing (授權方式),當 BYOL 時 (Bring Your Own License),會需要能夠對實體機器有更多控制權:

We want to make sure that you can continue to derive value from these licenses after you migrate to AWS. In general, we call this model Bring Your Own License, or BYOL. In order to do this while adhering to the terms of the license, you are going to need to control the mapping of the EC2 instances to the underlying, physical servers.

另外這對於安全性理由也多了個解決方案,像是需要實體分離避開各種 side-channel attack。不過 AWS 之前就有提供其他的方法。

對於軟體有支援 CloudHSM 的,可以考慮直接使用這個解決方案,private key 直接放在 HSM 上,而且 AWS 有符合常見的安全標準。

而另外對於有跟美國政府簽約的數據需求,可以用 AWS GovCloud (US),讓一般人根本接觸不到。

對於一般單位的需求,也可以用 Dedicated Instances 來確保實體機器上只有單一客戶,而這也能買 Reserved Instances 確保使用權,以及對應的折扣。

所以這次 Dedicated Hosts 比較像是商業授權上的需求而產生出來的解決方案,而不是安全性需求...