On 27 May 2008, at 16:33, Robert Bonomi wrote:
From nanog-bounces@nanog.org Mon May 26 21:16:58 2008 Date: Tue, 27 May 2008 07:46:26 +0530 From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Colin Alston" <karnaugh@karnaugh.za.net> Subject: Re: amazonaws.com? Cc: nanog@merit.edu
On Tue, May 27, 2008 at 1:10 AM, Colin Alston <karnaugh@karnaugh.za.net> wrote:
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
I didnt actually, Bonomi did .. but going on ..
Mis-credit where mis-credit isn't due ... Twasn't me, either. <grin>
I just commented that I couldn't think of a reason for a _compute_ cluster to need access to unlimited remote machines/ports. And that it could 'trivially' be made an _automatic_ part of the 'compute session' config -- to allow access to a laundry-list of ports/machines, and those ports/machines -only-.
If Amazon were a 'good neighbor', they _would_ implement something like this. That they see no need to do _anything_ -- when _actual_ problems, which are directly attributable to their failure to do so, have been brought to their attention -- does argue in favor of wholesale firewalling of the EC2 address- space.
If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them.
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
This is a classic example of externalities in the economics of security. Currently, any damage caused by Amazon customers costs Amazon little or nothing. The costs are borne by the victims of that damage. On the other hand mitigating this damage would cause Amazon costs, in engineering and lost revenue. So in economic terms they have no incentive to 'do the right thing'. So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years.