There are security risks in any hosted solution. Unless you're the one doing the hosting. As long as you understand the risks I don't think there's anything to worry about. Not in my case anyway...
The nice thing about Amazon is that they have a fast net connection and lots of options. I can start servers when I want and there's a load balancing option if I need it. You know, for when my site becomes super popular and one virtual server just won't do.
Price is the best feature of all. It's cheap! Server Beach offers real cheap dedicated hosting solutions. It'll be interesting to see if my little Amazon server beats their price... I hope so...
Good times in the cloud...
----- Original Message -----
From: "Shane R. Spencer" <shane@bogomip.com>
To: "Damien Hull" <damien@linuxninjas.tv>
Cc: jonr@destar.net, aklug@aklug.org
Sent: Monday, May 18, 2009 12:31:55 PM GMT -09:00 Alaska
Subject: Re: [aklug] Re: My virtual server on Amazon
Amazon assigned you the x.509 cert and you tell them what password to
use. They have direct access to decrypt your image since they know the
secret.
On another note.. I run some servers on a remote OpenVZ host for cheap
amounts per month.. I enjoy it.. I store all my encrypted stuff in
encrpyted formats or overlays (encfs rocks my world) and my root user
doesn't have a password. If they need to set one they can do it on a
whim - they have direct access to do whatever they want with my server.
This is about the same with Amazon. They are more security minded,
obviously, and may make for a more secure hosting environment with a
lower exploit factor. But encrypted data ALWAYS needs to be decrypted
to be put to use. I appreciate what Amazon is doing, I think it's
pretty spiffy. But it's also just a start to a more secured off-site
computing environment. Massive amounts of stuffs will have to change
before on-site or off-site computing can be uncrackable, unrootable, and
security flaw free. I'd hate to think Amazon is guiding people into a
false sense of security. However they have developed a system similar
to a secure copy ala ssh for their own means, using x.509 cert
standards. The difference being I don't control the cert used to upload
and mount the image.
Damien, I think I'm going to test out Amazon EC2 now.
Shane
Damien Hull wrote:
> My server doesn't have a password. Not when it starts anyway. The details are a bit fuzzy but there is an X.509 cert that goes with the server. You need that to boot it.
>
> Even if an admin at Amazon is able to boot the server there's nothing their for them to see...
>
> ----- Original Message -----
> From: jonr@destar.net
> To: aklug@aklug.org
> Sent: Monday, May 18, 2009 10:05:26 AM GMT -09:00 Alaska
> Subject: [aklug] Re: My virtual server on Amazon
>
> They would easily be able to log into your VM. They would just change
> the root password.
>
> Jon
>
> Quoting Damien Hull <damien@linuxninjas.tv>:
>
>> Hmm... Never thought if it that way... In any case, no data is
>> stored on the image. nothing important anyway. When you shut down
>> the virtual server all data is lost. Any data you want to save must
>> be stored on an EBS.
>>
>> If the EBS is encrypted an admin at Amazon won't be able to look at
>> backup data or mount the EBS. Again, it all depends on how paranoid
>> one wants to be. And yes, I know that a running server gives one
>> access to the EBS or all my data... Assuming they have a way to
>> login to my virtual server...
>>
>>
>> ----- Original Message -----
>> From: "Shane R. Spencer" <shane@bogomip.com>
>> To: "Damien Hull" <damien@linuxninjas.tv>
>> Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
>> Sent: Sunday, May 17, 2009 3:19:27 PM GMT -09:00 Alaska
>> Subject: Re: [aklug] Re: My virtual server on Amazon
>>
>> Your X.509 cert determines your authenticity to start the virtual
>> machine.. but the machine image itself is not encrypted once it's stored
>> @ S3. Not unless they chose to use a crypto loopback device to handle
>> your image. Sounds like a waste of cycles since they end up decrypting
>> it anyways.
>>
>> Also.. Amazon gives you your X.509 cert that you generate using their
>> servers. Authenticated against their trusted master keys. Sigh.
>>
>> I have no idea why the images are even encrypted. Anybody? Other than
>> marketing and false senses of security can anybody tell me why the
>> amazon encryption methods work and how they protect your data, and from
>> who? Sure it keeps the stream pretty as it gets uploaded.. lower MITM
>> attack rate if it's done that way. That's why I use ssh/scp.
>>
>> Shane
>>
>>
>> Damien Hull wrote:
>>> True... However, so much of what we do is in the cloud. Email and
>>> shopping are good examples. There's encryption for email but people
>>> don't use it. Our credit card info is encrypted during the
>>> transaction process but it's sitting on a server somewhere. That's
>>> how the bad guys get it.
>>>
>>> I think it depends on what kind of data we're talking about. What I
>>> post on my blog doesn't need to be encrypted. Documentation about
>>> server settings is another story. I might want to keep that safe...
>>>
>>> Data security will be come a big issue as more and more people use
>>> web based applications. Google docs is a good example. How safe are
>>> ones doc's on Google?
>>>
>>> There's no simple answer. I'll watch what I put in the cloud but
>>> I'm not taking the paranoid approach.
>>>
>>> NOTE
>>> My Ubuntu server image on Amazon is encrypted. It can't be started
>>> with out my X.509 cert.
>>>
>>> ----- Original Message -----
>>> From: "Shane R. Spencer" <shane@bogomip.com>
>>> To: "Damien Hull" <damien@linuxninjas.tv>
>>> Cc: "Arthur Corliss" <acorliss@nevaeh-linux.org>, aklug@aklug.org
>>> Sent: Sunday, May 17, 2009 2:29:38 PM GMT -09:00 Alaska
>>> Subject: Re: [aklug] Re: My virtual server on Amazon
>>>
>>> Somebody somewhere has a funny saying about "Better than nothing".
>>>
>>> Just remember that your encryption key is in memory on a box somewhere
>>> that's out of your control.. And cryptsetup needs to be validated
>>> against your package repository before being used. Virtual server
>>> environments are fun because of all the security problems they impose.
>>>
>>> When storing data to an offsite backup system I always back up the
>>> result of an encrypted block device, file, or stream. Like when using
>>> ecryptfs or encfs, you back up the encrypted directory using tools like
>>> rsync since you'll never be able to decypher the names using, say, tab
>>> completion. You just have to back up the entire thing.
>>>
>>> When using duplicity you pipe the output of their stream archive format
>>> through GPG running on a local host. This way you control everything
>>> assuming you are in control of your own box.
>>>
>>> Anyways.. it doesn't need to be this tight if the data doesn't require
>>> it. But encryption is next to useless if you're doing the processing on
>>> a virtual machine on top of a host that you have no control over.
>>>
>>> Shane
>>>
>>> Damien Hull wrote:
>>>> This is true. Couple of things to remember...
>>>> 1. This is all web data...
>>>> 2. No different then a real server in some far off data center
>>>>
>>>> There are exceptions...
>>>> 1. Email
>>>> 2. Groupware applications that allow users to upload files etc...
>>>>
>>>> I'm looking at encrypting my data. That doesn't include /etc...
>>>> Amazon has a service called the "Elastic Bloc Service" or EBS for
>>>> short. Luks Format for block level data encryption... If the EBS
>>>> block device is mounted my data is wide open. However, snapshots
>>>> would be encrypted...
>>>>
>>>> It's better then nothing...
>>>>
>>>>
>>>> ----- Original Message -----
>>>> From: "Arthur Corliss" <acorliss@nevaeh-linux.org>
>>>> To: "Damien Hull" <damien@linuxninjas.tv>
>>>> Cc: aklug@aklug.org
>>>> Sent: Monday, May 11, 2009 10:12:07 PM GMT -09:00 Alaska
>>>> Subject: Re: [aklug] My virtual server on Amazon
>>>>
>>>> On Mon, 11 May 2009, Damien Hull wrote:
>>>>
>>>>> I think this is the wave of the future. I don't have to worry
>>>>> about hardware... Or fast Internet connections. Very cool!
>>>> :-) It sounds interesting, but remember, all things within reason.
>>>> Remember, now someone other than you has direct access to any private data
>>>> you put on that cloud, whether it be private SSL or SSH keys, your shadow
>>>> file, etc.
>>>>
>>>> Something to think about before you use the same passwords as you
>>>> do on your
>>>> own systems.
>>>>
>>>> --Arthur Corliss
>>>> Live Free or Die
>>>>
>>>
>>
>> --
>> Damien Hull
>> Linux Ninja
>> Open Source Assassin
>>
>> http://linuxninjas.tv
>> http://elite.linuxninjas.tv
>> http://www.digital-overload.net
>>
>> ---------
>> To unsubscribe, send email to <aklug-request@aklug.org>
>> with 'unsubscribe' in the message body.
>>
>>
>
>
>
>
> ---------
> To unsubscribe, send email to <aklug-request@aklug.org>
> with 'unsubscribe' in the message body.
>
>
-- Damien Hull Linux Ninja Open Source Assassin http://linuxninjas.tv http://elite.linuxninjas.tv http://www.digital-overload.net --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Tue May 19 08:18:21 2009
This archive was generated by hypermail 2.1.8 : Tue May 19 2009 - 08:18:21 AKDT