Google gets chatty about live migration while AWS stays mum

On Monday, Amazon wanted us to know that its staff worked day and night to avert planned reboots of cloud instances and updated a blog post to flag that information. But it didn’t provide any specifics on how these live updates were implemented.

Did [company]Amazon[/company] use live migration — a process in which the guest OS is moved to a new, safe host? Or did it use hot patching in which dynamic kernel updates are applied without screwing around with the underlying system?

Who knows? Because Amazon Web Services ain’t saying. Speculation is that it used live migration — even though AWS proponents last fall insisted that live migration per se would not have prevented the Xen-related reboots it launched at that time.

But where AWS remains quiet, [company]Google[/company], which wants to challenge AWS for public cloud workloads, was only too glad to blog about its live migration capabilities launched last year. Live migration, it claimed on Tuesday, prevented a meltdown during the Heartbleed vulnerability hullabaloo in April.

Google’s post is replete with charts and graphs and eight-by-ten glossies. Kidding about the last part but there are lots of diagrams.

A betting person might wager that Google is trying to tweak Amazon on this front by oversharing. You have to credit Google’s moxie here and its aspirations for live migration remain large. Per the Google Cloud Platform blog:

The goal of live migration is to keep hardware and software updated across all our data centers without restarting customers’ VMs. Many of these maintenance events are disruptive. They require us to reboot the host machine, which, in the absence of transparent maintenance, would mean impacting customers’ VMs.

But Google still has a long row to hoe. Last fall, when Google started deprecating an older cloud data center zone in Europe and launched a new one, there was no evidence of live migration. Customers were told to make a disk snapshots and use them to relaunch new VMs in the new zone.

As reported then, Google live migration moves working VMs between physical hosts within zones but not between them. Google promised changes there too, starting in late January 2015 but there appears to be nothing new on that front as yet.

So let the cloud games continue.


Password manager Dashlane now offers automatic password changing

The password manager Dashlane, which competes with the likes of LastPass and 1Password, just gained a new trick. Through the acquisition of a New York-based startup called PassOmatic, Dashlane is now able to offer an automated password-changing feature.

Password Changer does what it says on the box. Like most password managers, Dashlane’s software already included a password generator — now, users can automatically change passwords for chosen services with a single click, making it less likely that they’ll use the same password for long periods of time. The firm is touting this as a good counter-measure against security disasters like Heartbleed, where passwords have found their way into the wrong hands.

During the beta phase that launched on Tuesday, Password Changer requires a small amount of manual intervention, but in future it will gain the ability to automatically change passwords at set intervals. It’s already compatible with sites such as [company]Amazon[/company], [company]Facebook[/company], [company]Google[/company], [company]eBay[/company] and [company]PayPal[/company].

Like some other password managers, Dashlane’s service sees users store their passwords on the company’s servers, to enable cross-device syncing (for which Dashlane charges $39.99 per year.) The files are encrypted in the user’s client beforehand, though, and Dashlane maintains that it cannot read anything without the user’s master password, which it does not have.

Asked whether law enforcement or intelligence agencies would be able to access anything, Dashlane CEO Emmanuel Schalit told me via email that agencies could only get encrypted files from the firm if it were subpoenaed, and the password would need to come from the user “as the grade of encryption used by Dashlane makes these encrypted documents very hard to attack.”

Some rivals such as 1Password don’t store any user data on their servers, and do make it possible (with some effort) to synchronize data between devices without the need for a cloud-based service. However, Dropbox remains the most flexible way to synchronize 1Password data, and that service is itself probably approachable by agencies.

It all really comes down to how much you trust the encryption, and whether you count your main threat as agencies or — far more likely — criminals. For general protection, everyone should be using a password manager, and the automated nature of what Dashlane is now offering does seem attractive. This applies to anything that makes it easier for people to adopt plausible security measures.

New York and France-based Dashlane raised a $22 million Series B round back in May and, while the PassOmatic acquisition didn’t come with any announced numbers, this is how Dashlane is using its cash. PassOmatic CEO Chana Kalai, who has now joined Dashlane along with two colleagues, said in a statement that it was “obvious to us that the solution made even more sense when combined with a password manager, and we clearly saw Dashlane as the leading and most innovative company in that field today.”

Linux Foundation rounds up vendor posse to save OpenSSL

In the wake of the Heartbleed mess, a who’s-who of tech vendors — Amazon Web Services, Google, Cisco, Dell, Facebook, IBM, Intel and others — are all aboard an effort to bolster theOpenSSL security project.