[aklug] Re: My virtual server on Amazon

Each "Instance" is, in itself, useless for more than processing and storing
temporary files; luckily for us, that's primarily what we need.
EBS, or Elastic Block Storage, is used to store data for a long period of
time. You can format it any way you want, mount it to a single instance,
copy files off, unmount, or even encrypt all data to and from it (a large
waste of cycles if you ask me, of course, depending on the data).
I enjoy the Cloud, however, I'm not sure where it falls into PCI Compliance
when it comes to storing sensitive details; I suggest you use the cloud as a
processing center, and some physical data center for your important items,
like database storage, backups, and sensitive data - this way, you control
everything behind firewalls and security, while the "Cloud" may serve up
static content or non-sensitive information.

I also recommend looking into Rightscale - www.rightscale.com - if you're in
the Cloud.

--Will

On Mon, May 18, 2009 at 2:13 PM, Damien Hull <damien@linuxninjas.tv> wrote:

> My server doesn't have a password. Not when it starts anyway. The details
> are a bit fuzzy but there is an X.509 cert that goes with the server. You
> need that to boot it.
>
> Even if an admin at Amazon is able to boot the server there's nothing their
> for them to see...
>
> ----- Original Message -----
> From: jonr@destar.net
> To: aklug@aklug.org
> Sent: Monday, May 18, 2009 10:05:26 AM GMT -09:00 Alaska
> Subject: [aklug] Re: My virtual server on Amazon
>
> They would easily be able to log into your VM. They would just change
> the root password.
>
> Jon
>
> Quoting Damien Hull <damien@linuxninjas.tv>:
>
> > Hmm... Never thought if it that way... In any case, no data is
> > stored on the image. nothing important anyway. When you shut down
> > the virtual server all data is lost. Any data you want to save must
> > be stored on an EBS.
> >
> > If the EBS is encrypted an admin at Amazon won't be able to look at
> > backup data or mount the EBS. Again, it all depends on how paranoid
> > one wants to be. And yes, I know that a running server gives one
> > access to the EBS or all my data... Assuming they have a way to
> > login to my virtual server...
> >
> >
> > ----- Original Message -----
> > From: "Shane R. Spencer" <shane@bogomip.com>
> > To: "Damien Hull" <damien@linuxninjas.tv>
> > Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
> > Sent: Sunday, May 17, 2009 3:19:27 PM GMT -09:00 Alaska
> > Subject: Re: [aklug] Re: My virtual server on Amazon
> >
> > Your X.509 cert determines your authenticity to start the virtual
> > machine.. but the machine image itself is not encrypted once it's stored
> > @ S3. Not unless they chose to use a crypto loopback device to handle
> > your image. Sounds like a waste of cycles since they end up decrypting
> > it anyways.
> >
> > Also.. Amazon gives you your X.509 cert that you generate using their
> > servers. Authenticated against their trusted master keys. Sigh.
> >
> > I have no idea why the images are even encrypted. Anybody? Other than
> > marketing and false senses of security can anybody tell me why the
> > amazon encryption methods work and how they protect your data, and from
> > who? Sure it keeps the stream pretty as it gets uploaded.. lower MITM
> > attack rate if it's done that way. That's why I use ssh/scp.
> >
> > Shane
> >
> >
> > Damien Hull wrote:
> >> True... However, so much of what we do is in the cloud. Email and
> >> shopping are good examples. There's encryption for email but people
> >> don't use it. Our credit card info is encrypted during the
> >> transaction process but it's sitting on a server somewhere. That's
> >> how the bad guys get it.
> >>
> >> I think it depends on what kind of data we're talking about. What I
> >> post on my blog doesn't need to be encrypted. Documentation about
> >> server settings is another story. I might want to keep that safe...
> >>
> >> Data security will be come a big issue as more and more people use
> >> web based applications. Google docs is a good example. How safe are
> >> ones doc's on Google?
> >>
> >> There's no simple answer. I'll watch what I put in the cloud but
> >> I'm not taking the paranoid approach.
> >>
> >> NOTE
> >> My Ubuntu server image on Amazon is encrypted. It can't be started
> >> with out my X.509 cert.
> >>
> >> ----- Original Message -----
> >> From: "Shane R. Spencer" <shane@bogomip.com>
> >> To: "Damien Hull" <damien@linuxninjas.tv>
> >> Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
> >> Sent: Sunday, May 17, 2009 2:29:38 PM GMT -09:00 Alaska
> >> Subject: Re: [aklug] Re: My virtual server on Amazon
> >>
> >> Somebody somewhere has a funny saying about "Better than nothing".
> >>
> >> Just remember that your encryption key is in memory on a box somewhere
> >> that's out of your control.. And cryptsetup needs to be validated
> >> against your package repository before being used. Virtual server
> >> environments are fun because of all the security problems they impose.
> >>
> >> When storing data to an offsite backup system I always back up the
> >> result of an encrypted block device, file, or stream. Like when using
> >> ecryptfs or encfs, you back up the encrypted directory using tools like
> >> rsync since you'll never be able to decypher the names using, say, tab
> >> completion. You just have to back up the entire thing.
> >>
> >> When using duplicity you pipe the output of their stream archive format
> >> through GPG running on a local host. This way you control everything
> >> assuming you are in control of your own box.
> >>
> >> Anyways.. it doesn't need to be this tight if the data doesn't require
> >> it. But encryption is next to useless if you're doing the processing on
> >> a virtual machine on top of a host that you have no control over.
> >>
> >> Shane
> >>
> >> Damien Hull wrote:
> >>> This is true. Couple of things to remember...
> >>> 1. This is all web data...
> >>> 2. No different then a real server in some far off data center
> >>>
> >>> There are exceptions...
> >>> 1. Email
> >>> 2. Groupware applications that allow users to upload files etc...
> >>>
> >>> I'm looking at encrypting my data. That doesn't include /etc...
> >>> Amazon has a service called the "Elastic Bloc Service" or EBS for
> >>> short. Luks Format for block level data encryption... If the EBS
> >>> block device is mounted my data is wide open. However, snapshots
> >>> would be encrypted...
> >>>
> >>> It's better then nothing...
> >>>
> >>>
> >>> ----- Original Message -----
> >>> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
> >>> To: "Damien Hull" <damien@linuxninjas.tv>
> >>> Cc: aklug@aklug.org
> >>> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
> >>> Subject: Re: [aklug] My virtual server on Amazon
> >>>
> >>> On Mon, 11 May 2009, Damien Hull wrote:
> >>>
> >>>> I think this is the wave of the future. I don't have to worry
> >>>> about hardware... Or fast Internet connections. Very cool!
> >>> :-) It sounds interesting, but remember, all things within reason.
> >>> Remember, now someone other than you has direct access to any private
> data
> >>> you put on that cloud, whether it be private SSL or SSH keys, your
> shadow
> >>> file, etc.
> >>>
> >>> Something to think about before you use the same passwords as you
> >>> do on your
> >>> own systems.
> >>>
> >>> --Arthur Corliss
> >>> Live Free or Die
> >>>
> >>
> >>
> >
> >
> > --
> > Damien Hull
> > Linux Ninja
> > Open Source Assassin
> >
> > http://linuxninjas.tv
> > http://elite.linuxninjas.tv
> > http://www.digital-overload.net
> >
> > ---------
> > To unsubscribe, send email to <aklug-request@aklug.org>
> > with 'unsubscribe' in the message body.
> >
> >
>
>
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
> --
> Damien Hull
> Linux Ninja
> Open Source Assassin
>
> http://linuxninjas.tv
> http://elite.linuxninjas.tv
> http://www.digital-overload.net
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>

-- 
Warm regards,
William Attwood
Idea Extraordinaire
wattwood@gmail.com
P. J. O'Rourke<http://www.brainyquote.com/quotes/authors/p/p_j_orourke.html>
- "Never fight an inanimate object."
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.