The idea is that any sort of web console (that can be attacked with CSRF) is a really bad idea as it likely results in a complete compromise. Most web developers are not at all good at web security (case in point being this release with easy CSRF vulnerabilities). The likelihood that the same or similar mistakes will be introduced again later is high. The conservative approach is that, because the consequences of a failure are really bad, and because the level of convenience beyond an ssh shell is marginal, therefore you should never use web consoles. I guess if you were an expert at web security you could analyze a particular web console and say "yeah, it looks ok to me and I'm willing to take the risk." I think Patrick is saying that he doesn't see that being a worthwhile tradeoff for himself (as an expert) and therefore it seems particularly unwise for non-experts to be doing it.
There is some buzz about doing cloud to cloud attacks but I haven't heard anything that's been realized yet. I have also heard that there are issues with data staying resident on local disks on EC2 after machine termination, but I don't know if that's the case.
There is some buzz about doing cloud to cloud attacks but I haven't heard anything that's been realized yet. I have also heard that there are issues with data staying resident on local disks on EC2 after machine termination, but I don't know if that's the case.