On 27 May 2008, at 16:33, Robert Bonomi wrote:
From [EMAIL PROTECTED] Mon May 26 21:16:58 2008
Date: Tue, 27 May 2008 07:46:26 +0530
From: "Suresh Ramasubramanian" <[EMAIL PROTECTED]>
To: "Colin Alston" <[EMAIL PROTECTED]>
Subject: Re: amazonaws.com?
Cc: [EMAIL PROTECTED]
On Tue, May 27, 2008 at 1:10 AM, Colin Alston
<[EMAIL PROTECTED]> wrote:
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
I didnt actually, Bonomi did .. but going on ..
Mis-credit where mis-credit isn't due ... Twasn't me, either. <grin>
I just commented that I couldn't think of a reason for a _compute_
cluster to
need access to unlimited remote machines/ports. And that it could
'trivially'
be made an _automatic_ part of the 'compute session' config -- to
allow access
to a laundry-list of ports/machines, and those ports/machines -only-.
If Amazon were a 'good neighbor', they _would_ implement something
like this.
That they see no need to do _anything_ -- when _actual_ problems,
which are
directly attributable to their failure to do so, have been brought
to their
attention -- does argue in favor of wholesale firewalling of the
EC2 address-
space.
If the address-space owner won't police it's own property, there is
no reason
for the rest of the world to spend the time/effort to _selectively_
police it
for them.
Amazon _might_ 'get a clue' if enough providers walled off the EC2
space, and
they found difficulty selling cycles to people who couldn't access
the machines
to set up their compute applications.
This is a classic example of externalities in the economics of security.
Currently, any damage caused by Amazon customers costs Amazon little
or nothing. The
costs are borne by the victims of that damage. On the other hand
mitigating this
damage would cause Amazon costs, in engineering and lost revenue. So
in economic
terms they have no incentive to 'do the right thing'.
So to get Amazon to police their customers either requires regulation
or an external
economic pressure. Blocking AWS from folk's mail servers would apply
some pressure,
making areas of the net go dark to AWS would apply more pressure
faster. A considerable
amount of pressure could be placed by a big enough money damages
lawsuit but that has
a feedback delay of months to years.