Are The Idiots On EC2 (and others) Ready?
The Market Ticker - Commentary on The Capital Markets
Logging in or registering will improve your experience here
Main Navigation
Sarah's Resources You Should See
Full-Text Search & Archives

Legal Disclaimer

The content on this site is provided without any warranty, express or implied. All opinions expressed on this site are those of the author and may contain errors or omissions.

NO MATERIAL HERE CONSTITUTES "INVESTMENT ADVICE" NOR IS IT A RECOMMENDATION TO BUY OR SELL ANY FINANCIAL INSTRUMENT, INCLUDING BUT NOT LIMITED TO STOCKS, OPTIONS, BONDS OR FUTURES.

The author may have a position in any company or security mentioned herein. Actions you undertake as a consequence of any analysis, opinion or advertisement on this site are your sole responsibility.

Market charts, when present, used with permission of TD Ameritrade/ThinkOrSwim Inc. Neither TD Ameritrade or ThinkOrSwim have reviewed, approved or disapproved any content herein.

The Market Ticker content may be sent unmodified to lawmakers via print or electronic means or excerpted online for non-commercial purposes provided full attribution is given and the original article source is linked to. Please contact Karl Denninger for reprint permission in other media, to republish full articles, or for any commercial use (which includes any site where advertising is displayed.)

Submissions or tips on matters of economic or political interest may be sent "over the transom" to The Editor at any time. To be considered for publication your submission must include full and correct contact information and be related to an economic or political matter of the day. All submissions become the property of The Market Ticker.

2018-01-02 07:00 by Karl Denninger
in Technology , 289 references Ignore this thread
Are The Idiots On EC2 (and others) Ready?
[Comments enabled]

As I have long maintained in the computing world unless you have physical control over a box and supervisory control over every single employee that has privileged access to said box you have no security whatsoever.

Period.

There will always be another bug.  Or a "misfeature", whether it arises out of hubris, incomplete security review, hurried production or malfeasance of some sort.

There is now some evidence that exactly that sort of "you're screwed" problem has been discovered that may well be a hardware issue in at least some commonly used processors in so-called "cloud" environments.

This would, if true, allow one "client" to "jump the fence" and either access someone else's memory (in other words, a different client) or, much worse, possibly get them access to the hypervisor at which point all pretense of security on said box falls to pieces. 

Please realize that any such breach is a "game over" sort of event because it allows recovery of active encryption keys and other highly-sensitive data in active use by said other customer/client.  If I can get your encryption key I can pretend to be you (bad) or simply steal all your encrypted data and decode it (maybe worse!)

The pointer to some specific discussions on this point was sent to me by a reader -- and perusing through it, and where that led me, leads me to believe this is quite real and a handful of people are extremely worried -- not only about it but about keeping it real quiet.

The question is whether that's an attempt to forestall "bad guys" from using it or customers of some of the biggest cloud providers from discovering that it can impact them and fleeing.

Given where this looks like it's aimed and heading my money is on the latter.

smiley

Go to responses (registration required to post)
 
 
Comments.......
User: Not logged on
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last
User Info Are The Idiots On EC2 (and others) Ready? in forum [Market-Ticker]
Bodhi
Posts: 185
Incept: 2008-02-23

Georgia
Report This As A Bad Post Add To Your Ignored User List
I recently started learning the Linux system in earnest. It's like learning a foreign language. I've learned enough so far to appreciate the ability to tweak settings "under the hood" so-to-say as opposed to Windows. I'm certainly no IT admin, but I've already figured out how to enable useful features, disable potential security holes, and get my Linux devices not only talking to each other, but also talking to my Windows PC's. I've also figured out how to telnet into my router to enable and tweak hidden settings. I do know enough to keep telnet disabled except when I want to take a look around the router's file system. I wish I had done this years ago.
Rollformer
Posts: 188
Incept: 2013-02-13

Report This As A Bad Post Add To Your Ignored User List
The only real reason I could see using the cloud is if I had a massively parallel simulation I wanted to run, and didn't have the resources to have a server/workstation on site to do it. Even then, I wouldn't want to use sensitive data.

I've been writing some Monte Carlos in Python (yes, I know), and I would like to multithread them and run them on the cloud, but I am afraid of the billing. Don't want a massive credit card bill for satisfying my curiosity about something.
Jacksparrow
Posts: 34
Incept: 2016-04-15

4116 Libby Rd NE, Olympia WA 98506
Report This As A Bad Post Add To Your Ignored User List
I was concerned when I heard our government parks classified data on cloud servers, so I asked my brother-in-law who sets up the encryption keys for government computer systems locally. He said their systems encrypt the data before it reaches the cloud which then encrypts the encrypted data. So I guess it leaves their data subject to corruption, and then subject to just how good of encryption the government systems use. Quantum computer anyone?
Sean_kelly
Posts: 1
Incept: 2017-12-30

Oregon
Report This As A Bad Post Add To Your Ignored User List
Yeah, as an anecdote, I've noticed when using GoDaddy and cPanel that if I launch PHP My Admin and try to create certain common database names that I get a "database already exists". I've also used Amazon AWS to provision MySQL databases and noticed similar things. These are not even hardware issues, they are way higher up the stack at the application level. I can only imagine what possibilities are there. Parking proprietary data in the cloud seems about as smart as putting gold in a safe deposit box just before FDR took office.
Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
I was concerned when I heard our government parks classified data on cloud servers, so I asked my brother-in-law who sets up the encryption keys for government computer systems locally. He said their systems encrypt the data before it reaches the cloud which then encrypts the encrypted data.

Uh huh.

First, cloud storage of bulk data is always hideously expensive compared against doing it yourself. Always. As an example Digital Ocean charges 10 cents/GB/month for "block storage", and AWS is the same for "general purpose". High-performance on AWS is more expensive (DO wins there bigly because there's no charge for I/Os, but there is on AWS.)

AWS has HDD storage too and it's cheaper (about 1/2 to 1/4 of the above) but even so it's idiotic. Consider that a TB is 1,000GB, so you're paying $45/TB/month before any I/O or processing costs just to stash the data.

May I remind you that I can buy NAS-grade 6Tb disks for under $200? If you mirror (best performance and highest cost of the RAID options) that means it costs you $66/TB to buy the storage - and you pay ONCE. NAS-style drives are perfectly fine for "cold storage" type applications and even the most-expensive SAS/Helium-filled "really good ones" are about double that, which means for what you pay in THREE MONTHS in cloud storage cost you can buy the disks and own them. In other words it's roughly ten times as expensive in terms of life-cycle cost, if not more, to use cloud for this purpose -- and it just gets worse from there.

There's also no redundancy guarantee on the cloud providers either (they accept ZERO responsibility if they lose the data) so YOU get to either buy two or take the risk that whatever they did internally is "good enough" where if you provision your own (e.g. ZFS 2+2) you can lose ANY TWO of the four volumes and have no actual loss of data. Never mind that YOU control the storage encryption keys in such an application locally, NOT someone else.

There is an argument for cloud use where you have very "bursty" CPU requirements that are only necessary for a few hours a month.

There is NEVER an argument for it in the realm of bulk storage. EVER. Not only is it expensive as hell you lose ALL control over the security of said data.

----------
Winding it down.

Ckaminski
Posts: 4382
Incept: 2011-04-08

Mass-Hole!
Report This As A Bad Post Add To Your Ignored User List
Quote:
parks classified data on cloud servers


There is literally NO point to this unless you want to actually do work on it, and then you're at risk, because you have to decrypt it.

It's actually cheaper (still) to use a truck and a crapload of tapes (maybe bare drives these days) for backups versus "cloud" solutions.



Moon
Posts: 18
Incept: 2017-12-23

various
Banned
Report This As A Bad Post Add To Your Ignored User List
Well yeah.... but how else are you suppose to get nekkies?
Moon
Posts: 18
Incept: 2017-12-23

various
Banned
Report This As A Bad Post Add To Your Ignored User List
Oops forgot the hashtag <sarcasm>
Attilahooper
Posts: 2769
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
I am curious what hardware vuln exists? Which manufacturer and model?
I recall an article in wired a while back; spoke of a ressian guy who got a hold of VMWare source and found a vuln that permitted breakout from the hypervisor. I think he was extorting them not to release.

----------
We are the Champions - No time for losers - Queen
https://www.youtube.com/watch?v=04854Xqc....

Aerius
Posts: 889
Incept: 2008-03-19

GTA
Report This As A Bad Post Add To Your Ignored User List
Remembering back to when AWS went down and took down a crapload of retail POS, commercial, and other systems with it, yeah, if that gets breached it's truly game over. I can't even begin to imagine the kind of bad things that someone could do if they got their hands on that data after compromising the cloud systems, and I have a pretty good imagination.
Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Quote:
I am curious what hardware vuln exists? Which manufacturer and model?

I'm assuming it's some sort of problem with the Intel MMU which allows either exposing someone else's PHYS mapped space (bad) or, possibly much worse, flipping a bit in an arbitrary person's mapped space.

The latter would allow a trivial privilege escalation attack that would give the attacker "root" on whoever he ran it against -- and the obvious target then is the hypervisor itself since that gives you instant access to the entire physical mapped address space of ALL of the clients.

----------
Winding it down.
Vernonb
Posts: 1949
Incept: 2009-06-03

East of Sheol
Report This As A Bad Post Add To Your Ignored User List
From what I have seen the main reason to be quite is to allow executives to dump their now worthless stocks into the market while pretending an issue that makes those stocks worthless does not exist.

These people are looking for another bag holder is all. They don't give a damn about the public at large or their customers.

----------
"Mass intelligence does not mean intelligent masses."
Attilahooper
Posts: 2769
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List

----------
We are the Champions - No time for losers - Queen
https://www.youtube.com/watch?v=04854Xqc....

Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Probably not, although that one looks bad too.

This looks to be, given what's being worked on and who's doing the working, that it's exploitable either at the operating system kernel level, Xen (hypervisor) level, or BOTH. As far as I know there's no *published* CVE on it at this point.....

----------
Winding it down.
Highaltitude
Posts: 8
Incept: 2018-01-02

Colorado
Report This As A Bad Post Add To Your Ignored User List
Would this be the one you are talking about?

The mysterious case of the Linux Page Table Isolation patches

http://pythonsweetness.tumblr.com/post/1....
Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
That was the start of what I followed around, yes.... it looks ugly.

----------
Winding it down.
Highaltitude
Posts: 8
Incept: 2018-01-02

Colorado
Report This As A Bad Post Add To Your Ignored User List
Even worse it looks like the cure can cause significant performance issues. It could cause a major issue for cloud providers if it really does cause as much as a 50% performance degradation. Rumors are that Microsoft is patching the NT kernel for the same thing.
Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Yeah the problem is that fixing it through a software hack (it looks like a ****up in how the page-table mapping interacts with cache lines in the CPU) appears to involve an inescapable SEVERE performance hit since you have to flush said cache line.

This could get quite interesting.....


----------
Winding it down.
Rollformer
Posts: 188
Incept: 2013-02-13

Report This As A Bad Post Add To Your Ignored User List
Is this why my 8th Gen I-7 processor runs out of memory and runs up the CPU when I read ZeroHedge?
Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
Probably not.

----------
Winding it down.
Attilahooper
Posts: 2769
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
Rollformer - noscript plugin for firefox should kill most of those abusive advertising scripts. Be prepared to spend some time whitelisting your favorite sites.
I found a similar plugin for chrome but i'm not in front of that pc now.

@ALL
It's not just cloud providers, it's all the CPUs noted. Be prepared for a huge performance hit on your desktop or laptop! If I understand correctly.

----------
We are the Champions - No time for losers - Queen
https://www.youtube.com/watch?v=04854Xqc....

Tickerguy
Posts: 151177
Incept: 2007-06-26
A True American Patriot!
Report This As A Bad Post Add To Your Ignored User List
That depends on the exact scope of this. It may be sufficient to use it if you detect the CPU is on a Hypervisor (which you CAN detect.)

Of course if that's the case it makes the "cloud computing" argument go VERY pear-shaped for a LOT of people on the economics....

----------
Winding it down.

Attilahooper
Posts: 2769
Incept: 2007-08-28

New York, by way of Montreal Canada.
Report This As A Bad Post Add To Your Ignored User List
There's some banter and good refs on slashdot today. Including a post by an AMD employee that their arch is not vuln.

https://it.slashdot.org/story/18/01/02/2....

----------
We are the Champions - No time for losers - Queen
https://www.youtube.com/watch?v=04854Xqc....

Analog
Posts: 1508
Incept: 2010-12-29

arkansas ozarks
Report This As A Bad Post Add To Your Ignored User List
Pardon my ignorance of software, guys, i was a 'scope and logic analyzer and Simpson 260 type of guy.

Quote:
Parking proprietary data in the cloud seems about as smart as putting gold in a safe deposit box just before FDR took office.

Hmmm.. are Bitcoins mined on "The Cloud"?
Quote:
Hey boss, did you ever see a more splendiferous crash? ...Alexis Zorba


a.

----------
Never trust a computer with anything important.
Login Register Top Blog Top Blog Topics FAQ
Showing Page 1 of 2  First12Last