On the other hand, I wonder how useful some of them are. Boot-level security sounds fantastic but the cost of engineering and at the rate they probably cycle hardware, with decent service-level signatures this probably largely wasted money (eg. unexpected behavior like comms from service X to service Y is default-denied at multiple levels, logged, triggers hard shutdown/reset of system). While performance is cited as a concern, you'd save a lot of money removing the design/deployment/maintenance of all that complexity and could afford a little extra (more standard) hardware.
Edit: Just trawling through, seems like quite a few of the tools are on github.com/google
This was true before Google Cloud. With Google Cloud, you can enjoy these benefits whether you are an individual developer with a sub 100$ monthly budget / a mom n pop shop with 1000$ budget or a SMB / Startup with a 10K$ - 100K $ to spend on your infrastructure.
This is protection from rogue employees acting independently, assuming it's not just marketing and ego-stroking for the engineers.
In particular, the doc says all data on the WAN (between data centers) is now encrypted.
> The NSA's of the world don't need to hack Google's infrastructure. They can just ask.
NSA doesn't just ask; they found ways to MITM Google.
You can get pretty far with commodity hardware. Even Secure Boot with custom keys prevents most threats.
At least Intel AMT improves the situation a bit.
It would be nice if this was more explicit. For example, is traffic that is TLS-terminated at their LB reencrypted all the way to the back end VM? At what point is it decrypted again? Are those keys unique to us or are they used for whatever traffic happens to traverse the same network paths? (I assume shared but with software-defined networking maybe it's practical for them to be unique.) What does the "control plane" encompass?
In any case, I'm curious what people think about trusting the service provider for inter-service and inter-VM encryption. Do you use the LB's TLS termination? Do you still enable encryption for your DB connections even if it is (or will soon be) redundant with their network encryption?
This is mostly true with today's state of the industry, but with upcoming technologies like Intel SGX, the hypervisor will not be able to access the plaintext anymore.
 - https://software.intel.com/en-us/blogs/2013/09/26/protecting...
First line on KeyCZAR repo:
"Important note: KeyCzar has some known security issues which may influence your decision to use it."
Not sure why the OP has been downvoted. Definitely something interesting to note.
Either that or someone can take the reins and update it to use modern algorithms.
I'm glad to see more assurance cases. You can't just do one thing and have a secure system. And if you want people to trust you, you need to give them a reason to trust.
The CII best practices badge ( https://bestpractices.coreinfrastructure.org ) also
has an assurance case; details at https://github.com/linuxfoundation/cii-best-practices-badge/... . If you want to help us make that better, let us know!
Huh? I thought that was exclusive to movies like Entrapment and Mission Impossible.
Edit: I obviously wasn't implying they're using the same ones. Come on, now >.>
Homesafe Safety Beam Laser Motion Detector Sensor & Alert
It has been commercialized by a security company named Xandem, some info on it:
I'll be purchasing a Xandem system soon
If you delete them from your device, it doesn't delete the cloud copy.
If you delete from an album, it removes the image from the album, but not from your account.
IIRC it gets auto-deleted after 30 days or something.
(and there are many other things)
Is "Step 5: Add '1' to the end"
Is this a delimiter for beginning of the padding or does it server some other purpose?